Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:41
Static task
static1
Behavioral task
behavioral1
Sample
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe
Resource
win10v2004-20220812-en
General
-
Target
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe
-
Size
205KB
-
MD5
8f2c91d52951d6da1be44ac1ee38cbd3
-
SHA1
0d374f2cb7e25566c489eec0a3244ee05562bc68
-
SHA256
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a
-
SHA512
c0770d0b8761fbfbdfd49acbffa979ba605be6795f70e9a533e7984824a3964622f27f0c2303480126994e75e15abbd196c6f3b7fac23fa5add204fc63aae615
-
SSDEEP
3072:eqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:eqhMPssRARoiSoS3SsQLH5AK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
services.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe winlogon.exe csrss.exe smss.exe lsass.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe -
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
services.exe csrss.exenizv.exe4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe winlogon.exe csrss.exe smss.exe lsass.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
Processes:
smss.exe lsass.exe services.exe csrss.exenizv.exe4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe winlogon.exe csrss.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nizv.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
Processes:
lsass.exe services.exe csrss.exenizv.exe4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe winlogon.exe csrss.exe smss.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nizv.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
Processes:
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe winlogon.exe csrss.exe smss.exe lsass.exe services.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
Disables RegEdit via registry modification 6 IoCs
Processes:
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe winlogon.exe csrss.exe smss.exe lsass.exe services.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
Processes:
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe csrss.execsrss.exe csrss.execsrss.exe nizv.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exesmss.exe smss.exe lsass.exelsass.exelsass.exe lsass.exe services.exeservices.exeservices.exe services.exe winlogon.exewinlogon.exewinlogon.exe winlogon.exe csrss.exe~Paraysutki_VM_Community~csrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~pid process 4928 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe 4936 csrss.exe 3232 csrss.exe 396 csrss.exe 3396 csrss.exe 1644 nizv.exe 2044 smss.exe 2092 smss.exe 4400 csrss.exe 4060 csrss.exe 4316 smss.exe 4864 smss.exe 4856 lsass.exe 2636 lsass.exe 4800 csrss.exe 4836 csrss.exe 2348 smss.exe 3696 smss.exe 3620 lsass.exe 1100 lsass.exe 2808 services.exe 1392 services.exe 4132 csrss.exe 1564 csrss.exe 3816 smss.exe 3992 smss.exe 3464 smss.exe 4840 smss.exe 3408 lsass.exe 1576 lsass.exe 384 lsass.exe 828 lsass.exe 5112 services.exe 3368 services.exe 4080 services.exe 4760 services.exe 1884 winlogon.exe 680 winlogon.exe 4756 winlogon.exe 5064 winlogon.exe 1304 csrss.exe 2732 ~Paraysutki_VM_Community~ 3448 csrss.exe 3828 smss.exe 4320 smss.exe 5116 lsass.exe 1756 lsass.exe 4924 services.exe 3648 services.exe 3188 winlogon.exe 4068 winlogon.exe 4168 ~Paraysutki_VM_Community~ 4092 lsass.exe 4992 lsass.exe 2240 services.exe 2680 services.exe 2984 winlogon.exe 3312 winlogon.exe 2800 ~Paraysutki_VM_Community~ 4540 services.exe 2904 services.exe 204 winlogon.exe 224 winlogon.exe 4740 ~Paraysutki_VM_Community~ -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
winlogon.exe csrss.exe smss.exe lsass.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe services.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" services.exe -
Loads dropped DLL 64 IoCs
Processes:
csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exesmss.exe smss.exe lsass.exelsass.exelsass.exe lsass.exe services.exeservices.exeservices.exe services.exe winlogon.exewinlogon.exewinlogon.exe winlogon.exe csrss.exe~Paraysutki_VM_Community~csrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~winlogon.exewinlogon.exepid process 4936 csrss.exe 3232 csrss.exe 396 csrss.exe 3396 csrss.exe 2044 smss.exe 2092 smss.exe 4400 csrss.exe 4060 csrss.exe 4316 smss.exe 4864 smss.exe 4856 lsass.exe 2636 lsass.exe 4800 csrss.exe 4836 csrss.exe 2348 smss.exe 3696 smss.exe 3620 lsass.exe 1100 lsass.exe 2808 services.exe 1392 services.exe 4132 csrss.exe 1564 csrss.exe 3816 smss.exe 3992 smss.exe 3464 smss.exe 4840 smss.exe 3408 lsass.exe 1576 lsass.exe 384 lsass.exe 828 lsass.exe 5112 services.exe 3368 services.exe 4080 services.exe 4760 services.exe 1884 winlogon.exe 680 winlogon.exe 4756 winlogon.exe 5064 winlogon.exe 1304 csrss.exe 2732 ~Paraysutki_VM_Community~ 3448 csrss.exe 3828 smss.exe 4320 smss.exe 5116 lsass.exe 1756 lsass.exe 4924 services.exe 3648 services.exe 3188 winlogon.exe 4068 winlogon.exe 4168 ~Paraysutki_VM_Community~ 4092 lsass.exe 4992 lsass.exe 2240 services.exe 2680 services.exe 2984 winlogon.exe 3312 winlogon.exe 2800 ~Paraysutki_VM_Community~ 4540 services.exe 2904 services.exe 204 winlogon.exe 224 winlogon.exe 4740 ~Paraysutki_VM_Community~ 3896 winlogon.exe 3344 winlogon.exe -
Adds Run key to start application 2 TTPs 38 IoCs
Processes:
csrss.exe services.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe lsass.exe nizv.exewinlogon.exe smss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run lsass.exe -
Processes:
services.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe winlogon.exe csrss.exe smss.exe lsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
nizv.exedescription ioc process File opened (read-only) \??\H: nizv.exe File opened (read-only) \??\J: nizv.exe File opened (read-only) \??\K: nizv.exe File opened (read-only) \??\M: nizv.exe File opened (read-only) \??\O: nizv.exe File opened (read-only) \??\X: nizv.exe File opened (read-only) \??\B: nizv.exe File opened (read-only) \??\G: nizv.exe File opened (read-only) \??\Y: nizv.exe File opened (read-only) \??\V: nizv.exe File opened (read-only) \??\L: nizv.exe File opened (read-only) \??\U: nizv.exe File opened (read-only) \??\R: nizv.exe File opened (read-only) \??\S: nizv.exe File opened (read-only) \??\W: nizv.exe File opened (read-only) \??\Z: nizv.exe File opened (read-only) \??\E: nizv.exe File opened (read-only) \??\P: nizv.exe File opened (read-only) \??\N: nizv.exe File opened (read-only) \??\Q: nizv.exe File opened (read-only) \??\T: nizv.exe File opened (read-only) \??\F: nizv.exe File opened (read-only) \??\I: nizv.exe -
Drops file in System32 directory 64 IoCs
Processes:
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe csrss.execsrss.exe winlogon.exe lsass.exe smss.exe lsass.exeservices.exesmss.exeservices.exe services.execsrss.exeservices.exe~Paraysutki_VM_Community~nizv.execsrss.exeservices.exe4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exesmss.exesmss.exesmss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe smss.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt lsass.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt services.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe winlogon.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe csrss.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~² services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe winlogon.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt services.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe services.exe File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm nizv.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe lsass.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe services.exe File created \??\c:\windows\SysWOW64\maxtrox.txt 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~² 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ csrss.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt smss.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt smss.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe csrss.exe -
Drops file in Program Files directory 27 IoCs
Processes:
nizv.exedescription ioc process File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe nizv.exe File opened for modification \??\c:\Program Files\Windows Media Player\setup_wm.exe nizv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe nizv.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe nizv.exe File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe nizv.exe File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe nizv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe nizv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe nizv.exe File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe nizv.exe File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe nizv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe nizv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe nizv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe nizv.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe nizv.exe File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe nizv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe nizv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe nizv.exe File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe nizv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
winlogon.exe csrss.exe smss.exe lsass.exe services.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main services.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" smss.exe -
Modifies registry class 48 IoCs
Processes:
csrss.exe csrss.exenizv.exewinlogon.exe lsass.exe services.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe smss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt nizv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" nizv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt nizv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" nizv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile nizv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command nizv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm nizv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt nizv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" nizv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command nizv.exe -
Runs ping.exe 1 TTPs 18 IoCs
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exepid process 904 ping.exe 1908 ping.exe 3048 ping.exe 4140 ping.exe 3212 ping.exe 2284 ping.exe 2128 ping.exe 4132 ping.exe 2988 ping.exe 3524 ping.exe 3164 ping.exe 2812 ping.exe 1476 ping.exe 772 ping.exe 3492 ping.exe 3464 ping.exe 3224 ping.exe 4508 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
csrss.exesmss.exepid process 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 4936 csrss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe 2044 smss.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 4512 rundll32.exe 3100 rundll32.exe 4552 rundll32.exe 3168 rundll32.exe 2464 rundll32.exe 3356 rundll32.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe csrss.execsrss.exe csrss.execsrss.exe nizv.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exesmss.exe smss.exe lsass.exelsass.exelsass.exe lsass.exe services.exeservices.exeservices.exe services.exe winlogon.exewinlogon.exewinlogon.exe winlogon.exe csrss.exe~Paraysutki_VM_Community~csrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~services.exeservices.exe winlogon.exewinlogon.exepid process 4184 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe 4928 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe 4936 csrss.exe 3232 csrss.exe 396 csrss.exe 3396 csrss.exe 1644 nizv.exe 2044 smss.exe 2092 smss.exe 4400 csrss.exe 4060 csrss.exe 4316 smss.exe 4864 smss.exe 4856 lsass.exe 2636 lsass.exe 4800 csrss.exe 4836 csrss.exe 2348 smss.exe 3696 smss.exe 3620 lsass.exe 1100 lsass.exe 2808 services.exe 1392 services.exe 4132 csrss.exe 1564 csrss.exe 3816 smss.exe 3992 smss.exe 3464 smss.exe 4840 smss.exe 1576 lsass.exe 3408 lsass.exe 384 lsass.exe 828 lsass.exe 5112 services.exe 3368 services.exe 4080 services.exe 4760 services.exe 1884 winlogon.exe 680 winlogon.exe 5064 winlogon.exe 4756 winlogon.exe 1304 csrss.exe 2732 ~Paraysutki_VM_Community~ 3448 csrss.exe 3828 smss.exe 4320 smss.exe 5116 lsass.exe 1756 lsass.exe 4924 services.exe 3648 services.exe 3188 winlogon.exe 4068 winlogon.exe 4168 ~Paraysutki_VM_Community~ 4092 lsass.exe 4992 lsass.exe 2240 services.exe 2680 services.exe 2984 winlogon.exe 3312 winlogon.exe 2800 ~Paraysutki_VM_Community~ 4540 services.exe 2904 services.exe 204 winlogon.exe 224 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe csrss.execsrss.exe csrss.exesmss.exesmss.exe csrss.exesmss.exelsass.exelsass.exe csrss.exesmss.exelsass.exeservices.exedescription pid process target process PID 4184 wrote to memory of 4928 4184 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe PID 4184 wrote to memory of 4928 4184 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe PID 4184 wrote to memory of 4928 4184 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe PID 4928 wrote to memory of 4936 4928 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe csrss.exe PID 4928 wrote to memory of 4936 4928 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe csrss.exe PID 4928 wrote to memory of 4936 4928 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe csrss.exe PID 4936 wrote to memory of 3232 4936 csrss.exe csrss.exe PID 4936 wrote to memory of 3232 4936 csrss.exe csrss.exe PID 4936 wrote to memory of 3232 4936 csrss.exe csrss.exe PID 3232 wrote to memory of 396 3232 csrss.exe csrss.exe PID 3232 wrote to memory of 396 3232 csrss.exe csrss.exe PID 3232 wrote to memory of 396 3232 csrss.exe csrss.exe PID 396 wrote to memory of 3396 396 csrss.exe csrss.exe PID 396 wrote to memory of 3396 396 csrss.exe csrss.exe PID 396 wrote to memory of 3396 396 csrss.exe csrss.exe PID 396 wrote to memory of 1644 396 csrss.exe nizv.exe PID 396 wrote to memory of 1644 396 csrss.exe nizv.exe PID 396 wrote to memory of 1644 396 csrss.exe nizv.exe PID 3232 wrote to memory of 2044 3232 csrss.exe smss.exe PID 3232 wrote to memory of 2044 3232 csrss.exe smss.exe PID 3232 wrote to memory of 2044 3232 csrss.exe smss.exe PID 2044 wrote to memory of 2092 2044 smss.exe smss.exe PID 2044 wrote to memory of 2092 2044 smss.exe smss.exe PID 2044 wrote to memory of 2092 2044 smss.exe smss.exe PID 2092 wrote to memory of 4400 2092 smss.exe csrss.exe PID 2092 wrote to memory of 4400 2092 smss.exe csrss.exe PID 2092 wrote to memory of 4400 2092 smss.exe csrss.exe PID 4400 wrote to memory of 4060 4400 csrss.exe csrss.exe PID 4400 wrote to memory of 4060 4400 csrss.exe csrss.exe PID 4400 wrote to memory of 4060 4400 csrss.exe csrss.exe PID 2092 wrote to memory of 4316 2092 smss.exe smss.exe PID 2092 wrote to memory of 4316 2092 smss.exe smss.exe PID 2092 wrote to memory of 4316 2092 smss.exe smss.exe PID 4316 wrote to memory of 4864 4316 smss.exe smss.exe PID 4316 wrote to memory of 4864 4316 smss.exe smss.exe PID 4316 wrote to memory of 4864 4316 smss.exe smss.exe PID 2092 wrote to memory of 4856 2092 smss.exe lsass.exe PID 2092 wrote to memory of 4856 2092 smss.exe lsass.exe PID 2092 wrote to memory of 4856 2092 smss.exe lsass.exe PID 4856 wrote to memory of 2636 4856 lsass.exe lsass.exe PID 4856 wrote to memory of 2636 4856 lsass.exe lsass.exe PID 4856 wrote to memory of 2636 4856 lsass.exe lsass.exe PID 2636 wrote to memory of 4800 2636 lsass.exe csrss.exe PID 2636 wrote to memory of 4800 2636 lsass.exe csrss.exe PID 2636 wrote to memory of 4800 2636 lsass.exe csrss.exe PID 4800 wrote to memory of 4836 4800 csrss.exe csrss.exe PID 4800 wrote to memory of 4836 4800 csrss.exe csrss.exe PID 4800 wrote to memory of 4836 4800 csrss.exe csrss.exe PID 2636 wrote to memory of 2348 2636 lsass.exe smss.exe PID 2636 wrote to memory of 2348 2636 lsass.exe smss.exe PID 2636 wrote to memory of 2348 2636 lsass.exe smss.exe PID 2348 wrote to memory of 3696 2348 smss.exe smss.exe PID 2348 wrote to memory of 3696 2348 smss.exe smss.exe PID 2348 wrote to memory of 3696 2348 smss.exe smss.exe PID 2636 wrote to memory of 3620 2636 lsass.exe lsass.exe PID 2636 wrote to memory of 3620 2636 lsass.exe lsass.exe PID 2636 wrote to memory of 3620 2636 lsass.exe lsass.exe PID 3620 wrote to memory of 1100 3620 lsass.exe lsass.exe PID 3620 wrote to memory of 1100 3620 lsass.exe lsass.exe PID 3620 wrote to memory of 1100 3620 lsass.exe lsass.exe PID 2636 wrote to memory of 2808 2636 lsass.exe services.exe PID 2636 wrote to memory of 2808 2636 lsass.exe services.exe PID 2636 wrote to memory of 2808 2636 lsass.exe services.exe PID 2808 wrote to memory of 1392 2808 services.exe services.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
winlogon.exe csrss.exe smss.exe lsass.exe 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe services.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe"C:\Users\Admin\AppData\Local\Temp\4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exeC:\Users\Admin\AppData\Local\Temp\4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4928 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3232 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3396 -
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\nizv.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\nizv.exe" csrss6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1644 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2092 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4060 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4864 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2636 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3696 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1100 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1392 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4132 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3992 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4840 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1576 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:384 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5112 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4080 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1884 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5064 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1304 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3448 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3828 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5116 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1756 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4924 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3648 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3188 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4068 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4168 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
PID:3100 -
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
PID:3524 -
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121013⤵
- Runs ping.exe
PID:3224 -
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
PID:4508 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe13⤵PID:3272
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe13⤵PID:3932
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe13⤵PID:3436
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe13⤵PID:3964
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe13⤵PID:2984
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe13⤵PID:1044
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~11⤵PID:2356
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
PID:3168 -
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121011⤵
- Runs ping.exe
PID:4140 -
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- Runs ping.exe
PID:3164 -
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- Runs ping.exe
PID:3048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe11⤵PID:3816
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe11⤵PID:4744
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe11⤵PID:2160
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe11⤵PID:612
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe11⤵PID:3396
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe11⤵PID:3732
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
- Loads dropped DLL
PID:3896 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
- Loads dropped DLL
PID:3344 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:3380
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:4512 -
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
PID:3212 -
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- Runs ping.exe
PID:2284 -
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
PID:3492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵PID:1820
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:3068
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:5016
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:4656
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:3656
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:4620
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4540 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2904 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:204 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:224 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:2464 -
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
PID:4132 -
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
PID:1476 -
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
PID:772 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:1516
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:5004
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:4084
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:1288
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:1812
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:804
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4092 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4992 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2240 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2680 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2984 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3312 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
PID:4552 -
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- Runs ping.exe
PID:904 -
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
PID:3464 -
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Runs ping.exe
PID:2988 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵PID:4672
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵PID:536
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵PID:5092
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵PID:4136
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵PID:3228
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵PID:1096
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3816 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3464 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3408 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:828 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3368 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4760 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:680 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4756 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
PID:3356 -
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12103⤵
- Runs ping.exe
PID:2812 -
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- Runs ping.exe
PID:2128 -
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- Runs ping.exe
PID:1908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe3⤵PID:1428
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe3⤵PID:3088
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe3⤵PID:1264
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe3⤵PID:4280
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe3⤵PID:1688
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe3⤵PID:960
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4836
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe
Filesize129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Users\Admin\AppData\Local\Temp\4687fe71e7d3b3866a5ffdc9622daff21bb0d565d2d0918345998d37bb98671a.exe
Filesize129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
76KB
MD54c8403d5db69e9e6599d10a6b9070563
SHA13a56264599d983c475b66fa5414fd46f5947766d
SHA2562c1e80716c32bd0227f66c4e8afb63ec9e7fd6e335fdc18be370e63e2e987f92
SHA512e51d98d2e1661b35b41e070c657ee5143063ef7ca64cfa4bf46ef19a0761ceb9cfc7a86cd4a11603da446409fa4a1409645f31fdb42d094fbab43ae41f0fe513
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
205KB
MD5067969cefa5008c2d31aa67a4d7b9c8e
SHA1fef3828486b9f316cb939a70949211c533e3f08e
SHA25659512f1d3aac6af4af4b5fc99a57ffbb9515bc785fceeb80ed2c9b3375b98a31
SHA512af60219a4ec8d4c4c9716040ea57beb7705a2596d5d718be5ab92b58d2d05637dbfecee766412387e928c6064eac07888e17bb236736785af53f21cf143169e2
-
Filesize
76KB
MD54c8403d5db69e9e6599d10a6b9070563
SHA13a56264599d983c475b66fa5414fd46f5947766d
SHA2562c1e80716c32bd0227f66c4e8afb63ec9e7fd6e335fdc18be370e63e2e987f92
SHA512e51d98d2e1661b35b41e070c657ee5143063ef7ca64cfa4bf46ef19a0761ceb9cfc7a86cd4a11603da446409fa4a1409645f31fdb42d094fbab43ae41f0fe513
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062