24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Size

127KB
MD5

a1f906cca600c01f6dd03c61b89aafd8
SHA1

d1f299a68712dbfcf307384cc8b78a43d6ed11a3
SHA256

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12
SHA512

d917bd03d27f2f7a4e9ba0bbcf77efc456271765a1d693cfb9a986ee1b313ca4fe44a576897549eaf26a518581dc8c9e1ee2300c54d816acd298040b35856c89
SSDEEP

1536:EnqJu3abBGy3G8V0iuoKTMUYU6U5jUdPQc+n35KZg8/nouy8Iu:EqlMPsgMYjUtQl78vout

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

lsass.exe services.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe winlogon.exe services.exe winlogon.exe services.exe winlogon.exe smss.exe csrss.exe services.exe csrss.exe lsass.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe

Modifies system executable filetype association 2 TTPs 15 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

csrss.exewinlogon.exe lsass.exe smss.exe csrss.exe lsass.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe winlogon.exe csrss.exe ndsw.exeservices.exe services.exe winlogon.exe services.exe services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe

Modifies visibility of file extensions in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

services.exe winlogon.exe winlogon.exe csrss.exe services.exe services.exe lsass.exe smss.exe services.exe csrss.exewinlogon.exe lsass.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe csrss.exe ndsw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ndsw.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

smss.exe ndsw.exewinlogon.exe services.exe services.exe services.exe winlogon.exe lsass.exe csrss.exe services.exe winlogon.exe csrss.exelsass.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe csrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ndsw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

services.exe csrss.exe winlogon.exe services.exe winlogon.exe lsass.exe services.exe winlogon.exe services.exe lsass.exe csrss.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe smss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Disables RegEdit via registry modification 13 IoCs

evasion

Processes:

lsass.exe smss.exe csrss.exe winlogon.exe services.exe csrss.exe lsass.exe services.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe winlogon.exe services.exe services.exe winlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe csrss.execsrss.exe csrss.execsrss.exe ndsw.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exeParaysutki_VM_Communitylsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe Paraysutki_VM_Communitywinlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe

pid	process
1108	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
2024	csrss.exe
1988	csrss.exe
1764	csrss.exe
328	csrss.exe
2028	ndsw.exe
972	smss.exe
736	smss.exe
780	csrss.exe
1568	csrss.exe
368	smss.exe
680	smss.exe
1728	lsass.exe
1256	lsass.exe
940	csrss.exe
1484	csrss.exe
668	smss.exe
2040	Paraysutki_VM_Community
796	lsass.exe
1224	lsass.exe
588	services.exe
1756	services.exe
2032	csrss.exe
1724	csrss.exe
1636	smss.exe
816	smss.exe
1600	lsass.exe
1188	lsass.exe
1176	services.exe
1904	services.exe
332	winlogon.exe
1992	winlogon.exe
780	csrss.exe
1772	csrss.exe
1664	smss.exe
240	smss.exe
1648	lsass.exe
1460	lsass.exe
1344	services.exe
1996	services.exe
1300	winlogon.exe
1640	winlogon.exe
2040	Paraysutki_VM_Community
328	Paraysutki_VM_Community
1672	winlogon.exe
1664	winlogon.exe
936	csrss.exe
940	csrss.exe
1304	smss.exe
1832	smss.exe
1224	lsass.exe
1848	lsass.exe
1876	services.exe
1992	services.exe
1688	csrss.exe
1136	csrss.exe
1336	smss.exe
1744	smss.exe
240	lsass.exe
892	lsass.exe
268	services.exe
1476	services.exe
1300	winlogon.exe
1356	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

csrss.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe smss.exe winlogon.exe winlogon.exe services.exe services.exe lsass.exe lsass.exe csrss.exe winlogon.exe services.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	services.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
1816	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
1816	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
1108	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
1108	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
1988	csrss.exe
1988	csrss.exe
1988	csrss.exe
1764	csrss.exe
1764	csrss.exe
328	csrss.exe
1764	csrss.exe
1764	csrss.exe
1988	csrss.exe
1988	csrss.exe
972	smss.exe
972	smss.exe
972	smss.exe
736	smss.exe
736	smss.exe
736	smss.exe
780	csrss.exe
780	csrss.exe
1568	csrss.exe
736	smss.exe
736	smss.exe
368	smss.exe
368	smss.exe
680	smss.exe
736	smss.exe
736	smss.exe
1728	lsass.exe
1728	lsass.exe
1728	lsass.exe
1256	lsass.exe
1256	lsass.exe
1256	lsass.exe
940	csrss.exe
940	csrss.exe
1484	csrss.exe
1256	lsass.exe
1256	lsass.exe
668	smss.exe
668	smss.exe
2040	Paraysutki_VM_Community
1256	lsass.exe
1256	lsass.exe
796	lsass.exe
796	lsass.exe
1224	lsass.exe
1256	lsass.exe
1256	lsass.exe
588	services.exe
588	services.exe
588	services.exe
1756	services.exe
1756	services.exe
1756	services.exe
2032	csrss.exe
2032	csrss.exe
1724	csrss.exe
1756	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe lsass.exe lsass.exe smss.exe csrss.exe services.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe services.exe csrss.exe services.exe ndsw.exewinlogon.exe winlogon.exe services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	csrss.exe

Checks whether UAC is enabled 1 TTPs 13 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.exe smss.exe winlogon.exe winlogon.exe services.exe lsass.exe lsass.exe services.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe services.exe csrss.exe services.exe winlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ndsw.exe

description	ioc	process
File opened (read-only)	\??\Q:	ndsw.exe
File opened (read-only)	\??\E:	ndsw.exe
File opened (read-only)	\??\F:	ndsw.exe
File opened (read-only)	\??\G:	ndsw.exe
File opened (read-only)	\??\I:	ndsw.exe
File opened (read-only)	\??\J:	ndsw.exe
File opened (read-only)	\??\K:	ndsw.exe
File opened (read-only)	\??\M:	ndsw.exe
File opened (read-only)	\??\R:	ndsw.exe
File opened (read-only)	\??\U:	ndsw.exe
File opened (read-only)	\??\W:	ndsw.exe
File opened (read-only)	\??\O:	ndsw.exe
File opened (read-only)	\??\V:	ndsw.exe
File opened (read-only)	\??\X:	ndsw.exe
File opened (read-only)	\??\Z:	ndsw.exe
File opened (read-only)	\??\B:	ndsw.exe
File opened (read-only)	\??\H:	ndsw.exe
File opened (read-only)	\??\L:	ndsw.exe
File opened (read-only)	\??\P:	ndsw.exe
File opened (read-only)	\??\S:	ndsw.exe
File opened (read-only)	\??\N:	ndsw.exe
File opened (read-only)	\??\T:	ndsw.exe
File opened (read-only)	\??\Y:	ndsw.exe

Drops file in System32 directory 64 IoCs

Processes:

services.exe smss.execsrss.execsrss.exe24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe smss.exe winlogon.exewinlogon.exe services.exe winlogon.exe services.exewinlogon.exe services.exe services.exelsass.exe winlogon.execsrss.exe ndsw.exeParaysutki_VM_Communitycsrss.exelsass.exeservices.exewinlogon.exewinlogon.exe services.exewinlogon.exesmss.exelsass.exe services.exe smss.exesmss.execsrss.exeservices.exelsass.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	ndsw.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	ndsw.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe

Drops file in Program Files directory 34 IoCs

Processes:

ndsw.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	ndsw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	ndsw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

services.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe lsass.exe csrss.exe lsass.exe smss.exe winlogon.exe services.exe winlogon.exe services.exe winlogon.exe csrss.exe services.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe

Modifies registry class 62 IoCs

Processes:

ndsw.execsrss.exelsass.exe csrss.exe services.exe smss.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe winlogon.exe services.exe services.exe winlogon.exe lsass.exe winlogon.exe services.exe csrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	ndsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	ndsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	ndsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	ndsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	ndsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	ndsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	ndsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	ndsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Runs ping.exe 1 TTPs 36 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
656	ping.exe
2272	ping.exe
2408	ping.exe
2652	ping.exe
2624	ping.exe
2580	ping.exe
2148	ping.exe
1548	ping.exe
1740	ping.exe
2232	ping.exe
2144	ping.exe
2724	ping.exe
1472	ping.exe
1012	ping.exe
1688	ping.exe
2972	ping.exe
2656	ping.exe
824	ping.exe
2200	ping.exe
2216	ping.exe
2688	ping.exe
2424	ping.exe
1572	ping.exe
1256	ping.exe
1224	ping.exe
1876	ping.exe
2320	ping.exe
1808	ping.exe
2992	ping.exe
2684	ping.exe
2452	ping.exe
1756	ping.exe
1772	ping.exe
964	ping.exe
2936	ping.exe
2072	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winlogon.exeservices.exe

pid	process
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
332	winlogon.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe
588	services.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
1624	rundll32.exe
1760	rundll32.exe
328	rundll32.exe
940	rundll32.exe
2132	rundll32.exe
3048	rundll32.exe
3032	rundll32.exe
2704	rundll32.exe
2924	rundll32.exe
2400	rundll32.exe
2752	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe csrss.execsrss.exe csrss.execsrss.exe ndsw.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.exesmss.exeParaysutki_VM_Communitylsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe Paraysutki_VM_Communitywinlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe

pid	process
1816	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
1108	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
2024	csrss.exe
1988	csrss.exe
1764	csrss.exe
328	csrss.exe
2028	ndsw.exe
972	smss.exe
736	smss.exe
780	csrss.exe
1568	csrss.exe
368	smss.exe
680	smss.exe
1728	lsass.exe
1256	lsass.exe
940	csrss.exe
668	smss.exe
2040	Paraysutki_VM_Community
796	lsass.exe
1224	lsass.exe
588	services.exe
1756	services.exe
2032	csrss.exe
1724	csrss.exe
1636	smss.exe
816	smss.exe
1600	lsass.exe
1188	lsass.exe
1176	services.exe
1904	services.exe
332	winlogon.exe
1992	winlogon.exe
780	csrss.exe
1772	csrss.exe
1664	smss.exe
240	smss.exe
1648	lsass.exe
1460	lsass.exe
1344	services.exe
1996	services.exe
1300	winlogon.exe
1640	winlogon.exe
2040	Paraysutki_VM_Community
328	Paraysutki_VM_Community
1672	winlogon.exe
1664	winlogon.exe
936	csrss.exe
940	csrss.exe
1304	smss.exe
1832	smss.exe
1224	lsass.exe
1848	lsass.exe
1876	services.exe
1992	services.exe
1688	csrss.exe
1136	csrss.exe
1336	smss.exe
1744	smss.exe
240	lsass.exe
892	lsass.exe
268	services.exe
1476	services.exe
1300	winlogon.exe
1356	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1816 wrote to memory of 1108	1816	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
PID 1816 wrote to memory of 1108	1816	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
PID 1816 wrote to memory of 1108	1816	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
PID 1816 wrote to memory of 1108	1816	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
PID 1108 wrote to memory of 2024	1108	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	csrss.exe
PID 1108 wrote to memory of 2024	1108	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	csrss.exe
PID 1108 wrote to memory of 2024	1108	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	csrss.exe
PID 1108 wrote to memory of 2024	1108	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	csrss.exe
PID 2024 wrote to memory of 1988	2024	csrss.exe	csrss.exe
PID 2024 wrote to memory of 1988	2024	csrss.exe	csrss.exe
PID 2024 wrote to memory of 1988	2024	csrss.exe	csrss.exe
PID 2024 wrote to memory of 1988	2024	csrss.exe	csrss.exe
PID 1988 wrote to memory of 1764	1988	csrss.exe	csrss.exe
PID 1988 wrote to memory of 1764	1988	csrss.exe	csrss.exe
PID 1988 wrote to memory of 1764	1988	csrss.exe	csrss.exe
PID 1988 wrote to memory of 1764	1988	csrss.exe	csrss.exe
PID 1764 wrote to memory of 328	1764	csrss.exe	csrss.exe
PID 1764 wrote to memory of 328	1764	csrss.exe	csrss.exe
PID 1764 wrote to memory of 328	1764	csrss.exe	csrss.exe
PID 1764 wrote to memory of 328	1764	csrss.exe	csrss.exe
PID 1764 wrote to memory of 2028	1764	csrss.exe	ndsw.exe
PID 1764 wrote to memory of 2028	1764	csrss.exe	ndsw.exe
PID 1764 wrote to memory of 2028	1764	csrss.exe	ndsw.exe
PID 1764 wrote to memory of 2028	1764	csrss.exe	ndsw.exe
PID 1988 wrote to memory of 972	1988	csrss.exe	smss.exe
PID 1988 wrote to memory of 972	1988	csrss.exe	smss.exe
PID 1988 wrote to memory of 972	1988	csrss.exe	smss.exe
PID 1988 wrote to memory of 972	1988	csrss.exe	smss.exe
PID 972 wrote to memory of 736	972	smss.exe	smss.exe
PID 972 wrote to memory of 736	972	smss.exe	smss.exe
PID 972 wrote to memory of 736	972	smss.exe	smss.exe
PID 972 wrote to memory of 736	972	smss.exe	smss.exe
PID 736 wrote to memory of 780	736	smss.exe	csrss.exe
PID 736 wrote to memory of 780	736	smss.exe	csrss.exe
PID 736 wrote to memory of 780	736	smss.exe	csrss.exe
PID 736 wrote to memory of 780	736	smss.exe	csrss.exe
PID 780 wrote to memory of 1568	780	csrss.exe	csrss.exe
PID 780 wrote to memory of 1568	780	csrss.exe	csrss.exe
PID 780 wrote to memory of 1568	780	csrss.exe	csrss.exe
PID 780 wrote to memory of 1568	780	csrss.exe	csrss.exe
PID 736 wrote to memory of 368	736	smss.exe	smss.exe
PID 736 wrote to memory of 368	736	smss.exe	smss.exe
PID 736 wrote to memory of 368	736	smss.exe	smss.exe
PID 736 wrote to memory of 368	736	smss.exe	smss.exe
PID 368 wrote to memory of 680	368	smss.exe	smss.exe
PID 368 wrote to memory of 680	368	smss.exe	smss.exe
PID 368 wrote to memory of 680	368	smss.exe	smss.exe
PID 368 wrote to memory of 680	368	smss.exe	smss.exe
PID 736 wrote to memory of 1728	736	smss.exe	lsass.exe
PID 736 wrote to memory of 1728	736	smss.exe	lsass.exe
PID 736 wrote to memory of 1728	736	smss.exe	lsass.exe
PID 736 wrote to memory of 1728	736	smss.exe	lsass.exe
PID 1728 wrote to memory of 1256	1728	lsass.exe	lsass.exe
PID 1728 wrote to memory of 1256	1728	lsass.exe	lsass.exe
PID 1728 wrote to memory of 1256	1728	lsass.exe	lsass.exe
PID 1728 wrote to memory of 1256	1728	lsass.exe	lsass.exe
PID 1256 wrote to memory of 940	1256	lsass.exe	csrss.exe
PID 1256 wrote to memory of 940	1256	lsass.exe	csrss.exe
PID 1256 wrote to memory of 940	1256	lsass.exe	csrss.exe
PID 1256 wrote to memory of 940	1256	lsass.exe	csrss.exe
PID 940 wrote to memory of 1484	940	csrss.exe	csrss.exe
PID 940 wrote to memory of 1484	940	csrss.exe	csrss.exe
PID 940 wrote to memory of 1484	940	csrss.exe	csrss.exe
PID 940 wrote to memory of 1484	940	csrss.exe	csrss.exe

System policy modification 1 TTPs 26 IoCs

evasion

Modify Registry

T1112

Processes:

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe winlogon.exe services.exe services.exe lsass.exe csrss.exe services.exe smss.exe services.exe winlogon.exe lsass.exe winlogon.exe csrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
"C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1108

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
3⤵
- Drops file in System32 directory
PID:2436

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
4⤵
PID:2476

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
3⤵
PID:2544

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
4⤵
PID:2572

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
3⤵
PID:2620

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
4⤵
PID:2640

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
3⤵
PID:2728

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:2784

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Drops file in System32 directory
PID:2824

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
PID:2856

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
PID:2940

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
PID:2980

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
5⤵
PID:2056

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
PID:1272

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
5⤵
- Drops file in System32 directory
PID:2952

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:3000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
7⤵
PID:2592

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
7⤵
PID:332

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
8⤵
PID:2984

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
7⤵
PID:3044

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
8⤵
PID:2664

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
7⤵
- Drops file in System32 directory
PID:1368

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
8⤵
PID:2676

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
7⤵
PID:2228

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
8⤵
- Drops file in System32 directory
PID:2664

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
9⤵
- Drops file in System32 directory
PID:332

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:2328

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
11⤵
- Drops file in System32 directory
PID:3020

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
12⤵
PID:1388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
11⤵
- Drops file in System32 directory
PID:1712

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
12⤵
PID:1900

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
11⤵
- Drops file in System32 directory
PID:552

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
12⤵
PID:524

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
11⤵
PID:1840

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
12⤵
PID:3044

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
11⤵
PID:948

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
12⤵
PID:524

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
11⤵
PID:1480

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
11⤵
PID:2036

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
9⤵
- Drops file in System32 directory
PID:1904

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
10⤵
PID:1516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
9⤵
PID:908

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
9⤵
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
10⤵
PID:332

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
9⤵
PID:2120

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
9⤵
PID:2868

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
7⤵
PID:2148

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
PID:2548

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:2580

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:2148

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1224

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
5⤵
- Drops file in System32 directory
PID:2196

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
6⤵
PID:2244

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
5⤵
PID:1840

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:2752

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:2072

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:2452

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:2424

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
3⤵
PID:2912

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
- Suspicious use of FindShellTrayWindow
PID:2924

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:2972

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:2936

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:2992

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1988

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:736

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
4⤵
PID:780

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:680

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
5⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1256

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:796

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:588

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
7⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1756

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
9⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1992

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
10⤵
- Suspicious use of FindShellTrayWindow
PID:1760

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
10⤵
- Runs ping.exe
PID:1472

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
10⤵
- Runs ping.exe
PID:1548

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
10⤵
- Runs ping.exe
PID:1740

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:328

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
8⤵
- Suspicious use of FindShellTrayWindow
PID:1624

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
8⤵
- Runs ping.exe
PID:1012

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
8⤵
- Runs ping.exe
PID:1772

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
8⤵
- Runs ping.exe
PID:656

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
7⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1664

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1848

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
9⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1992

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:240

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:268

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
10⤵
PID:332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
10⤵
- Suspicious use of FindShellTrayWindow
PID:328

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
10⤵
- Runs ping.exe
PID:964

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
10⤵
- Runs ping.exe
PID:1756

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
10⤵
- Runs ping.exe
PID:1572

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
8⤵
PID:1688

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
9⤵
PID:2000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
8⤵
PID:1876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
8⤵
- Suspicious use of FindShellTrayWindow
PID:940

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
8⤵
- Runs ping.exe
PID:824

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
8⤵
- Runs ping.exe
PID:1876

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
8⤵
- Runs ping.exe
PID:1688

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
6⤵
PID:892

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
6⤵
- Suspicious use of FindShellTrayWindow
PID:2132

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
6⤵
- Runs ping.exe
PID:2200

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
6⤵
- Runs ping.exe
PID:2216

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
6⤵
- Runs ping.exe
PID:2232

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
4⤵
PID:2208

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
5⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:2296

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
PID:2364

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
7⤵
PID:2384

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
PID:2404

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
7⤵
PID:2420

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
PID:2444

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
7⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:2468

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
8⤵
- Drops file in System32 directory
PID:2504

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
9⤵
PID:2536

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
8⤵
PID:2584

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
9⤵
PID:2608

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
8⤵
PID:2696

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
9⤵
PID:2720

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
8⤵
- Drops file in System32 directory
PID:2808

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
9⤵
PID:2864

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
8⤵
PID:2932

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
9⤵
PID:2972

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
8⤵
PID:3004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
8⤵
- Suspicious use of FindShellTrayWindow
PID:3048

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
8⤵
- Runs ping.exe
PID:1256

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
8⤵
- Runs ping.exe
PID:2272

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
8⤵
- Runs ping.exe
PID:2144

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
PID:2256

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
7⤵
PID:2528

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
6⤵
- Drops file in System32 directory
PID:2632

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
7⤵
PID:2664

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
6⤵
PID:2708

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
6⤵
- Suspicious use of FindShellTrayWindow
PID:2704

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
6⤵
- Runs ping.exe
PID:2724

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
6⤵
- Runs ping.exe
PID:2652

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
6⤵
- Runs ping.exe
PID:2624

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
4⤵
PID:2760

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
4⤵
PID:3060

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
4⤵
- Suspicious use of FindShellTrayWindow
PID:2400

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
4⤵
- Runs ping.exe
PID:2684

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
4⤵
- Runs ping.exe
PID:2688

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
4⤵
- Runs ping.exe
PID:2656

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
2⤵
PID:2648

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
3⤵
PID:2672

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
2⤵
PID:2740

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
3⤵
PID:2768

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
2⤵
PID:2836

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
3⤵
PID:2892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
2⤵
PID:2964

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
2⤵
- Suspicious use of FindShellTrayWindow
PID:3032

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
2⤵
- Runs ping.exe
PID:2320

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
2⤵
- Runs ping.exe
PID:2408

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
2⤵
- Runs ping.exe
PID:1808

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\ndsw.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\ndsw.exe" csrss
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:328

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
1⤵
PID:2040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:816

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ndsw.exe
Filesize
76KB

MD5
019d02f6ff40b761ca76dcec44331704

SHA1
fcf885d795fc726664dc932f7343f1864f2dbfa9

SHA256
893c51b00d1962cb3230cbe0d003570cf644e15f28f823bc83ab1e1c544a6540

SHA512
6255105f5dd9406fd97056b7a5860db92a0f16eb7c54d07c7d7788f22c6a95d28aabe150e4107eee80e00d61d93a253e378949a76f0f2d2947bb2b9ec82d28f0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\ndsw.exe
Filesize
76KB

MD5
019d02f6ff40b761ca76dcec44331704

SHA1
fcf885d795fc726664dc932f7343f1864f2dbfa9

SHA256
893c51b00d1962cb3230cbe0d003570cf644e15f28f823bc83ab1e1c544a6540

SHA512
6255105f5dd9406fd97056b7a5860db92a0f16eb7c54d07c7d7788f22c6a95d28aabe150e4107eee80e00d61d93a253e378949a76f0f2d2947bb2b9ec82d28f0

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\ndsw.exe
Filesize
76KB

MD5
019d02f6ff40b761ca76dcec44331704

SHA1
fcf885d795fc726664dc932f7343f1864f2dbfa9

SHA256
893c51b00d1962cb3230cbe0d003570cf644e15f28f823bc83ab1e1c544a6540

SHA512
6255105f5dd9406fd97056b7a5860db92a0f16eb7c54d07c7d7788f22c6a95d28aabe150e4107eee80e00d61d93a253e378949a76f0f2d2947bb2b9ec82d28f0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\ndsw.exe
Filesize
76KB

MD5
019d02f6ff40b761ca76dcec44331704

SHA1
fcf885d795fc726664dc932f7343f1864f2dbfa9

SHA256
893c51b00d1962cb3230cbe0d003570cf644e15f28f823bc83ab1e1c544a6540

SHA512
6255105f5dd9406fd97056b7a5860db92a0f16eb7c54d07c7d7788f22c6a95d28aabe150e4107eee80e00d61d93a253e378949a76f0f2d2947bb2b9ec82d28f0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
75ce518ad5b75d85553f5e0457faec5b

SHA1
168b9b100c805741fda5db7748f43cd11699e26b

SHA256
1b43a20bb324bb5002dd5ebd20a1c9d74bb389f8c12ef89fe8fcd410f72a4818

SHA512
8593a0c4b979040afeef6a93678c9384f9d2d341b689d2c3e6999ae8815031f9ec78c76d8b6266782ca448c9e2969f426b6b5cf89cb38a05edf23324f3981811

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
memory/240-248-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/240-245-0x0000000000000000-mapping.dmp

Download
memory/328-94-0x0000000000000000-mapping.dmp

Download
memory/328-99-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/328-277-0x0000000000000000-mapping.dmp

Download
memory/332-230-0x0000000000000000-mapping.dmp

Download
memory/332-275-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/368-147-0x0000000000000000-mapping.dmp

Download
memory/588-191-0x0000000000000000-mapping.dmp

Download
memory/656-292-0x0000000000000000-mapping.dmp

Download
memory/668-177-0x0000000000000000-mapping.dmp

Download
memory/680-155-0x0000000000000000-mapping.dmp

Download
memory/680-160-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/736-125-0x0000000000000000-mapping.dmp

Download
memory/736-198-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/780-132-0x0000000000000000-mapping.dmp

Download
memory/780-236-0x0000000000000000-mapping.dmp

Download
memory/796-184-0x0000000000000000-mapping.dmp

Download
memory/816-215-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/816-212-0x0000000000000000-mapping.dmp

Download
memory/892-340-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/936-297-0x0000000000000000-mapping.dmp

Download
memory/940-176-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/940-171-0x0000000000000000-mapping.dmp

Download
memory/940-303-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/940-300-0x0000000000000000-mapping.dmp

Download
memory/972-196-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/972-117-0x0000000000000000-mapping.dmp

Download
memory/1012-288-0x0000000000000000-mapping.dmp

Download
memory/1108-111-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1108-58-0x0000000000000000-mapping.dmp

Download
memory/1136-330-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1136-327-0x0000000000000000-mapping.dmp

Download
memory/1176-223-0x0000000000000000-mapping.dmp

Download
memory/1188-219-0x0000000000000000-mapping.dmp

Download
memory/1188-222-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1224-187-0x0000000000000000-mapping.dmp

Download
memory/1224-311-0x0000000000000000-mapping.dmp

Download
memory/1224-190-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1256-200-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1256-168-0x0000000000000000-mapping.dmp

Download
memory/1256-372-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1300-263-0x0000000000000000-mapping.dmp

Download
memory/1304-304-0x0000000000000000-mapping.dmp

Download
memory/1344-256-0x0000000000000000-mapping.dmp

Download
memory/1356-350-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1460-255-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1460-252-0x0000000000000000-mapping.dmp

Download
memory/1472-278-0x0000000000000000-mapping.dmp

Download
memory/1476-345-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1484-174-0x0000000000000000-mapping.dmp

Download
memory/1484-175-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-281-0x0000000000000000-mapping.dmp

Download
memory/1568-139-0x0000000000000000-mapping.dmp

Download
memory/1568-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-216-0x0000000000000000-mapping.dmp

Download
memory/1624-285-0x0000000000000000-mapping.dmp

Download
memory/1636-209-0x0000000000000000-mapping.dmp

Download
memory/1640-266-0x0000000000000000-mapping.dmp

Download
memory/1648-249-0x0000000000000000-mapping.dmp

Download
memory/1664-242-0x0000000000000000-mapping.dmp

Download
memory/1664-294-0x0000000000000000-mapping.dmp

Download
memory/1664-366-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1664-351-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1672-287-0x0000000000000000-mapping.dmp

Download
memory/1688-324-0x0000000000000000-mapping.dmp

Download
memory/1724-208-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1724-205-0x0000000000000000-mapping.dmp

Download
memory/1728-199-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/1728-163-0x0000000000000000-mapping.dmp

Download
memory/1740-282-0x0000000000000000-mapping.dmp

Download
memory/1744-335-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-201-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-293-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-194-0x0000000000000000-mapping.dmp

Download
memory/1760-273-0x0000000000000000-mapping.dmp

Download
memory/1764-86-0x0000000000000000-mapping.dmp

Download
memory/1772-239-0x0000000000000000-mapping.dmp

Download
memory/1772-290-0x0000000000000000-mapping.dmp

Download
memory/1816-109-0x0000000000390000-0x00000000003B9000-memory.dmp

Filesize
164KB

Download
memory/1816-110-0x0000000000390000-0x00000000003B9000-memory.dmp

Filesize
164KB

Download
memory/1832-307-0x0000000000000000-mapping.dmp

Download
memory/1832-310-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-314-0x0000000000000000-mapping.dmp

Download
memory/1848-317-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1876-318-0x0000000000000000-mapping.dmp

Download
memory/1904-229-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1904-226-0x0000000000000000-mapping.dmp

Download
memory/1988-74-0x0000000000000000-mapping.dmp

Download
memory/1988-114-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1988-477-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-233-0x0000000000000000-mapping.dmp

Download
memory/1992-358-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-321-0x0000000000000000-mapping.dmp

Download
memory/1992-284-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-352-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-272-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1992-276-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-259-0x0000000000000000-mapping.dmp

Download
memory/1996-262-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-113-0x0000000000260000-0x0000000000289000-memory.dmp

Filesize
164KB

Download
memory/2024-112-0x0000000000260000-0x0000000000289000-memory.dmp

Filesize
164KB

Download
memory/2024-64-0x0000000000000000-mapping.dmp

Download
memory/2028-102-0x0000000000000000-mapping.dmp

Download
memory/2032-202-0x0000000000000000-mapping.dmp

Download
memory/2040-183-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-269-0x0000000000000000-mapping.dmp

Download
memory/2040-180-0x0000000000000000-mapping.dmp

Download
memory/2208-396-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/2296-397-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2384-380-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2444-394-0x0000000000250000-0x0000000000279000-memory.dmp

Filesize
164KB

Download
memory/2468-395-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-393-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-404-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-409-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-419-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-421-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-484-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-423-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-431-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-452-0x00000000002C0000-0x00000000002E9000-memory.dmp

Filesize
164KB

Download
memory/2768-436-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2784-453-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-451-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/2856-448-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-449-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-454-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2980-471-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download