4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590

Analysis

max time kernel
26s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
Size

77KB
MD5

0220615191ea4e9d6f4442b57b7be970
SHA1

0ac943ed69468babfd8fe7ff62534763fe835805
SHA256

4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590
SHA512

af7554c39d80779b28e463d89cc89ca04edd141c6d5062c516548e8d3cf24ffe31e632297e98d59c8f685e9ea6d9eb61d5685c939e619084cb5a8bd0a02b4706
SSDEEP

768:QMXkE7U60L5jTgc/iPQc0Ic+a+GlKyHu0y3u02qU6E4/IJe/nbcuyD7UIu:QMUYU6U5jUdPQc+n35KZg8/nouy8Iu

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Disables RegEdit via registry modification 5 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 54 IoCs

pid	Process
1000	csrss.exe
972	csrss.exe
1744	smss.exe
1772	csrss.exe
1264	smss.exe
1560	lsass.exe
1564	csrss.exe
988	smss.exe
844	lsass.exe
2028	services.exe
1220	csrss.exe
1548	smss.exe
1324	lsass.exe
864	services.exe
2016	winlogon.exe
1608	csrss.exe
1224	smss.exe
1568	lsass.exe
316	services.exe
1308	winlogon.exe
1872	Paraysutki_VM_Community
1868	csrss.exe
392	smss.exe
1600	lsass.exe
1964	services.exe
1012	winlogon.exe
1040	Paraysutki_VM_Community
304	Paraysutki_VM_Community
1608	csrss.exe
580	smss.exe
920	lsass.exe
1632	services.exe
1152	winlogon.exe
1924	csrss.exe
1556	smss.exe
1320	lsass.exe
1416	services.exe
828	winlogon.exe
824	Paraysutki_VM_Community
580	Paraysutki_VM_Community
1944	smss.exe
1504	lsass.exe
2040	services.exe
920	winlogon.exe
2036	lsass.exe
1900	services.exe
1280	winlogon.exe
1012	winlogon.exe
1588	services.exe
1596	csrss.exe
1868	Paraysutki_VM_Community
1892	winlogon.exe
2244	Paraysutki_VM_Community
2264	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	services.exe

Loads dropped DLL 64 IoCs

pid	Process
1672	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
1672	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
1000	csrss.exe
1000	csrss.exe
1000	csrss.exe
972	csrss.exe
1000	csrss.exe
1000	csrss.exe
1744	smss.exe
1744	smss.exe
1744	smss.exe
1772	csrss.exe
1744	smss.exe
1744	smss.exe
1264	smss.exe
1744	smss.exe
1744	smss.exe
1560	lsass.exe
1560	lsass.exe
1560	lsass.exe
1564	csrss.exe
1560	lsass.exe
1560	lsass.exe
988	smss.exe
1560	lsass.exe
1560	lsass.exe
844	lsass.exe
1560	lsass.exe
1560	lsass.exe
2028	services.exe
2028	services.exe
2028	services.exe
1220	csrss.exe
2028	services.exe
2028	services.exe
1548	smss.exe
2028	services.exe
2028	services.exe
1324	lsass.exe
2028	services.exe
2028	services.exe
864	services.exe
2028	services.exe
2028	services.exe
2016	winlogon.exe
2016	winlogon.exe
2016	winlogon.exe
1608	csrss.exe
2016	winlogon.exe
2016	winlogon.exe
1224	smss.exe
2016	winlogon.exe
2016	winlogon.exe
1568	lsass.exe
2016	winlogon.exe
2016	winlogon.exe
316	services.exe
2016	winlogon.exe
2016	winlogon.exe
1308	winlogon.exe
2016	winlogon.exe
2016	winlogon.exe
1872	Paraysutki_VM_Community
1872	Paraysutki_VM_Community

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	Paraysutki_VM_Community

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	Paraysutki_VM_Community

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Paraysutki_VM_Community
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Paraysutki_VM_Community
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	Paraysutki_VM_Community
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe

Runs ping.exe 1 TTPs 33 IoCs

Remote System Discovery

T1018

pid	Process
1488	ping.exe
2128	ping.exe
2692	ping.exe
3056	ping.exe
3020	ping.exe
2832	ping.exe
988	ping.exe
1076	ping.exe
1804	ping.exe
2956	ping.exe
2120	ping.exe
2936	ping.exe
364	ping.exe
1628	ping.exe
3036	ping.exe
2172	ping.exe
2112	ping.exe
2836	ping.exe
2940	ping.exe
1000	ping.exe
900	ping.exe
2672	ping.exe
3028	ping.exe
2848	ping.exe
688	ping.exe
844	ping.exe
2968	ping.exe
2948	ping.exe
2680	ping.exe
2984	ping.exe
2976	ping.exe
2180	ping.exe
2148	ping.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1376	rundll32.exe
896	rundll32.exe
112	rundll32.exe
1200	rundll32.exe
824	rundll32.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
1672	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
1000	csrss.exe
972	csrss.exe
1744	smss.exe
1772	csrss.exe
1264	smss.exe
1560	lsass.exe
1564	csrss.exe
988	smss.exe
844	lsass.exe
2028	services.exe
1220	csrss.exe
1548	smss.exe
1324	lsass.exe
864	services.exe
2016	winlogon.exe
1608	csrss.exe
1224	smss.exe
1568	lsass.exe
316	services.exe
1308	winlogon.exe
1872	Paraysutki_VM_Community
1868	csrss.exe
392	smss.exe
1600	lsass.exe
1964	services.exe
1012	winlogon.exe
1040	Paraysutki_VM_Community
304	Paraysutki_VM_Community
1608	csrss.exe
580	smss.exe
920	lsass.exe
1632	services.exe
1152	winlogon.exe
1924	csrss.exe
1556	smss.exe
1320	lsass.exe
1416	services.exe
828	winlogon.exe
824	Paraysutki_VM_Community
580	Paraysutki_VM_Community
1944	smss.exe
1504	lsass.exe
2040	services.exe
920	winlogon.exe
2036	lsass.exe
1900	services.exe
1588	services.exe
1012	winlogon.exe
1868	Paraysutki_VM_Community
1596	csrss.exe
1892	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1000	1672	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe	27
PID 1672 wrote to memory of 1000	1672	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe	27
PID 1672 wrote to memory of 1000	1672	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe	27
PID 1672 wrote to memory of 1000	1672	4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe	27
PID 1000 wrote to memory of 972	1000	csrss.exe	28
PID 1000 wrote to memory of 972	1000	csrss.exe	28
PID 1000 wrote to memory of 972	1000	csrss.exe	28
PID 1000 wrote to memory of 972	1000	csrss.exe	28
PID 1000 wrote to memory of 1744	1000	csrss.exe	29
PID 1000 wrote to memory of 1744	1000	csrss.exe	29
PID 1000 wrote to memory of 1744	1000	csrss.exe	29
PID 1000 wrote to memory of 1744	1000	csrss.exe	29
PID 1744 wrote to memory of 1772	1744	smss.exe	30
PID 1744 wrote to memory of 1772	1744	smss.exe	30
PID 1744 wrote to memory of 1772	1744	smss.exe	30
PID 1744 wrote to memory of 1772	1744	smss.exe	30
PID 1744 wrote to memory of 1264	1744	smss.exe	31
PID 1744 wrote to memory of 1264	1744	smss.exe	31
PID 1744 wrote to memory of 1264	1744	smss.exe	31
PID 1744 wrote to memory of 1264	1744	smss.exe	31
PID 1744 wrote to memory of 1560	1744	smss.exe	32
PID 1744 wrote to memory of 1560	1744	smss.exe	32
PID 1744 wrote to memory of 1560	1744	smss.exe	32
PID 1744 wrote to memory of 1560	1744	smss.exe	32
PID 1560 wrote to memory of 1564	1560	lsass.exe	33
PID 1560 wrote to memory of 1564	1560	lsass.exe	33
PID 1560 wrote to memory of 1564	1560	lsass.exe	33
PID 1560 wrote to memory of 1564	1560	lsass.exe	33
PID 1560 wrote to memory of 988	1560	lsass.exe	34
PID 1560 wrote to memory of 988	1560	lsass.exe	34
PID 1560 wrote to memory of 988	1560	lsass.exe	34
PID 1560 wrote to memory of 988	1560	lsass.exe	34
PID 1560 wrote to memory of 844	1560	lsass.exe	35
PID 1560 wrote to memory of 844	1560	lsass.exe	35
PID 1560 wrote to memory of 844	1560	lsass.exe	35
PID 1560 wrote to memory of 844	1560	lsass.exe	35
PID 1560 wrote to memory of 2028	1560	lsass.exe	36
PID 1560 wrote to memory of 2028	1560	lsass.exe	36
PID 1560 wrote to memory of 2028	1560	lsass.exe	36
PID 1560 wrote to memory of 2028	1560	lsass.exe	36
PID 2028 wrote to memory of 1220	2028	services.exe	37
PID 2028 wrote to memory of 1220	2028	services.exe	37
PID 2028 wrote to memory of 1220	2028	services.exe	37
PID 2028 wrote to memory of 1220	2028	services.exe	37
PID 2028 wrote to memory of 1548	2028	services.exe	38
PID 2028 wrote to memory of 1548	2028	services.exe	38
PID 2028 wrote to memory of 1548	2028	services.exe	38
PID 2028 wrote to memory of 1548	2028	services.exe	38
PID 2028 wrote to memory of 1324	2028	services.exe	39
PID 2028 wrote to memory of 1324	2028	services.exe	39
PID 2028 wrote to memory of 1324	2028	services.exe	39
PID 2028 wrote to memory of 1324	2028	services.exe	39
PID 2028 wrote to memory of 864	2028	services.exe	40
PID 2028 wrote to memory of 864	2028	services.exe	40
PID 2028 wrote to memory of 864	2028	services.exe	40
PID 2028 wrote to memory of 864	2028	services.exe	40
PID 2028 wrote to memory of 2016	2028	services.exe	41
PID 2028 wrote to memory of 2016	2028	services.exe	41
PID 2028 wrote to memory of 2016	2028	services.exe	41
PID 2028 wrote to memory of 2016	2028	services.exe	41
PID 2016 wrote to memory of 1608	2016	winlogon.exe	42
PID 2016 wrote to memory of 1608	2016	winlogon.exe	42
PID 2016 wrote to memory of 1608	2016	winlogon.exe	42
PID 2016 wrote to memory of 1608	2016	winlogon.exe	42

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Paraysutki_VM_Community

C:\Users\Admin\AppData\Local\Temp\4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe
"C:\Users\Admin\AppData\Local\Temp\4a6deb36dd1500d2cf1dc7a1a562e665a46018c1386a1e4159a6a688f1a5a590.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:972
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1772
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1264
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1564
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:988
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:844
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2028
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1220
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1548
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1324
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:864
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2016
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:392
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        Suspicious use of FindShellTrayWindow
        
        PID:112
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:988
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:688
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:844
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1376
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1076
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1488
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1804
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:304
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1152
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        Suspicious use of FindShellTrayWindow
        
        PID:896
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:364
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:1628
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:900
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1200
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:2128
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:2120
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:2112
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        6⤵
        Suspicious use of FindShellTrayWindow
        
        PID:824
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:2180
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:2172
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:2148
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        Executes dropped EXE
        
        PID:1280
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:3028
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:3056
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:3036
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1900
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1012
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      4⤵
      Executes dropped EXE
      PID:2244
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\ping.exe
      ping www.rasasayang.com.my -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2956
  - - C:\Windows\SysWOW64\ping.exe
      ping www.data0.net -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2948
  - - C:\Windows\SysWOW64\ping.exe
      ping www.duniasex.com -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2940
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2036
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1588
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1892
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2984
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2976
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2968
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1944
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1504
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2040
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:920
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1596
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      4⤵
      Executes dropped EXE
      PID:2264
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\ping.exe
      ping www.rasasayang.com.my -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2848
  - - C:\Windows\SysWOW64\ping.exe
      ping www.data0.net -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2836
  - - C:\Windows\SysWOW64\ping.exe
      ping www.duniasex.com -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2832
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:3020
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:1000
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2936
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1868
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
  2⤵
  PID:2428
- C:\Windows\SysWOW64\ping.exe
  ping www.duniasex.com -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:2672
- C:\Windows\SysWOW64\ping.exe
  ping www.rasasayang.com.my -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:2692
- C:\Windows\SysWOW64\ping.exe
  ping www.data0.net -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:2680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
77KB

MD5
08a8651a66024da9cce2b257a94d7a07

SHA1
407b18a4f99945af1128702e7c71bf377490ca07

SHA256
f6995df3ec9af68606bddb1f8179138f0582224c972b45a3cb8dc4d94bf5d18a

SHA512
86a88214518c5be98ffa46037d1ec0182693f56589af7acf55c905397706e2a5d9b09daed40da18bdd7a382643bec23bf32f03f9069df7a4501d9ffdebe5765e

Download Submit
memory/304-302-0x0000000000350000-0x0000000000386000-memory.dmp

Filesize
216KB

Download
memory/304-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/304-254-0x0000000000350000-0x0000000000386000-memory.dmp

Filesize
216KB

Download
memory/304-253-0x0000000000350000-0x0000000000386000-memory.dmp

Filesize
216KB

Download
memory/316-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/392-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/580-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/580-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/580-258-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/824-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/828-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/864-177-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/920-351-0x0000000000510000-0x0000000000546000-memory.dmp

Filesize
216KB

Download
memory/920-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/920-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/972-77-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/988-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1000-337-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1000-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1012-354-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1152-301-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1224-190-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1264-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1280-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1308-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1320-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1324-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1416-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1548-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1548-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1556-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1560-333-0x0000000000470000-0x00000000004A6000-memory.dmp

Filesize
216KB

Download
memory/1560-332-0x0000000000470000-0x00000000004A6000-memory.dmp

Filesize
216KB

Download
memory/1560-157-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1564-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1568-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1600-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1608-186-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1608-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1672-90-0x0000000000520000-0x0000000000556000-memory.dmp

Filesize
216KB

Download
memory/1672-314-0x0000000000520000-0x0000000000556000-memory.dmp

Filesize
216KB

Download
memory/1672-327-0x0000000000520000-0x0000000000556000-memory.dmp

Filesize
216KB

Download
memory/1672-315-0x0000000000520000-0x0000000000556000-memory.dmp

Filesize
216KB

Download
memory/1672-85-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-338-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/1744-155-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/1744-330-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/1744-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1772-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1872-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1872-229-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1872-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1900-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1900-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-271-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1944-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1964-219-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2016-221-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2016-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2028-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2036-329-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2036-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2040-318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads