Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe
-
Size
127KB
-
MD5
2be1515a460d1a1eed83739c8698af6d
-
SHA1
97fb87c168633c4ecf4114884e71d7cb93171219
-
SHA256
f30af26ea7a16488fb969a6e7d5003c055a6e0435997d6e0a75bab826fe92314
-
SHA512
5844568e30b4a18c277f6fae52a1cce66d69846b4c9079fa52a995822111962c213453317a17158d4236e3b759c7ad2afc0f825e05f11880ce2d553c0f22e9c1
-
SSDEEP
1536:lamlu3hbBGy3G8nhMpD7MUYU6U5jUdPQc+n35KZg8/nouy8Iu:lreMPd/MYjUtQl78vout
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dvcv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 11 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 11 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe winlogon.exe -
Executes dropped EXE 64 IoCs
pid Process 4960 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe 4336 csrss.exe 4920 csrss.exe 2616 csrss.exe 3396 csrss.exe 1872 dvcv.exe 5104 smss.exe 3744 smss.exe 2364 csrss.exe 2244 csrss.exe 3964 smss.exe 1820 smss.exe 432 lsass.exe 1852 lsass.exe 4072 csrss.exe 2540 csrss.exe 228 smss.exe 3568 smss.exe 4352 lsass.exe 4824 lsass.exe 620 services.exe 3960 services.exe 5000 csrss.exe 1736 csrss.exe 912 smss.exe 2028 smss.exe 4600 lsass.exe 4868 lsass.exe 3524 services.exe 4984 services.exe 392 winlogon.exe 4344 winlogon.exe 3064 csrss.exe 4888 csrss.exe 3504 smss.exe 4488 smss.exe 948 lsass.exe 4860 lsass.exe 3272 services.exe 5072 services.exe 760 winlogon.exe 1280 winlogon.exe 1796 Paraysutki_VM_Community 4664 Paraysutki_VM_Community 1540 winlogon.exe 532 winlogon.exe 4020 csrss.exe 3372 csrss.exe 1692 smss.exe 1864 smss.exe 3168 lsass.exe 4680 lsass.exe 4896 services.exe 4556 services.exe 1172 csrss.exe 4104 csrss.exe 1396 smss.exe 1308 smss.exe 5032 lsass.exe 2640 lsass.exe 5076 services.exe 4000 services.exe 3004 winlogon.exe 2056 winlogon.exe -
Loads dropped DLL 64 IoCs
pid Process 4336 csrss.exe 4920 csrss.exe 2616 csrss.exe 3396 csrss.exe 5104 smss.exe 3744 smss.exe 2364 csrss.exe 2244 csrss.exe 3964 smss.exe 1820 smss.exe 432 lsass.exe 1852 lsass.exe 4072 csrss.exe 2540 csrss.exe 228 smss.exe 3568 smss.exe 4352 lsass.exe 4824 lsass.exe 620 services.exe 3960 services.exe 5000 csrss.exe 1736 csrss.exe 912 smss.exe 2028 smss.exe 4600 lsass.exe 4868 lsass.exe 3524 services.exe 4984 services.exe 392 winlogon.exe 4344 winlogon.exe 3064 csrss.exe 4888 csrss.exe 3504 smss.exe 4488 smss.exe 948 lsass.exe 4860 lsass.exe 3272 services.exe 5072 services.exe 760 winlogon.exe 1280 winlogon.exe 1796 Paraysutki_VM_Community 4664 Paraysutki_VM_Community 1540 winlogon.exe 532 winlogon.exe 4020 csrss.exe 3372 csrss.exe 1692 smss.exe 1864 smss.exe 3168 lsass.exe 4680 lsass.exe 4896 services.exe 4556 services.exe 1172 csrss.exe 4104 csrss.exe 1396 smss.exe 1308 smss.exe 5032 lsass.exe 2640 lsass.exe 5076 services.exe 4000 services.exe 3004 winlogon.exe 2056 winlogon.exe 4936 Paraysutki_VM_Community 4260 winlogon.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe -
Adds Run key to start application 2 TTPs 56 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" services.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: dvcv.exe File opened (read-only) \??\P: dvcv.exe File opened (read-only) \??\Q: dvcv.exe File opened (read-only) \??\Y: dvcv.exe File opened (read-only) \??\B: dvcv.exe File opened (read-only) \??\M: dvcv.exe File opened (read-only) \??\O: dvcv.exe File opened (read-only) \??\R: dvcv.exe File opened (read-only) \??\T: dvcv.exe File opened (read-only) \??\X: dvcv.exe File opened (read-only) \??\G: dvcv.exe File opened (read-only) \??\N: dvcv.exe File opened (read-only) \??\S: dvcv.exe File opened (read-only) \??\U: dvcv.exe File opened (read-only) \??\I: dvcv.exe File opened (read-only) \??\J: dvcv.exe File opened (read-only) \??\K: dvcv.exe File opened (read-only) \??\L: dvcv.exe File opened (read-only) \??\V: dvcv.exe File opened (read-only) \??\W: dvcv.exe File opened (read-only) \??\Z: dvcv.exe File opened (read-only) \??\E: dvcv.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe lsass.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe services.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt Paraysutki_VM_Community File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt Paraysutki_VM_Community File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt csrss.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe services.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt Paraysutki_VM_Community File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community csrss.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe winlogon.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt services.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe lsass.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe csrss.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll services.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe services.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt services.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe lsass.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe csrss.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe winlogon.exe -
Drops file in Program Files directory 27 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe dvcv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe dvcv.exe File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe dvcv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe dvcv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe dvcv.exe File opened for modification \??\c:\Program Files\Windows Media Player\setup_wm.exe dvcv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe dvcv.exe File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe dvcv.exe File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe dvcv.exe File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe dvcv.exe File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe dvcv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe dvcv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe dvcv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe dvcv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe dvcv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe dvcv.exe File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe dvcv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe dvcv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe dvcv.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe dvcv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe dvcv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe dvcv.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe dvcv.exe File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe dvcv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe dvcv.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe dvcv.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe dvcv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 33 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4460 ping.exe 208 ping.exe 4280 ping.exe 4300 ping.exe 1696 ping.exe 4512 ping.exe 4388 ping.exe 1204 ping.exe 5164 ping.exe 5276 ping.exe 1836 ping.exe 3972 ping.exe 5088 ping.exe 628 ping.exe 4988 ping.exe 776 ping.exe 1956 ping.exe 3668 ping.exe 344 ping.exe 3288 ping.exe 2416 ping.exe 4180 ping.exe 5148 ping.exe 5284 ping.exe 5576 ping.exe 3012 ping.exe 1852 ping.exe 5156 ping.exe 5584 ping.exe 1332 ping.exe 4104 ping.exe 5220 ping.exe 5568 ping.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main services.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main services.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main services.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" smss.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe -
Modifies registry class 58 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" dvcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd dvcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" dvcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command dvcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" dvcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon dvcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt dvcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon dvcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" dvcv.exe -
Runs ping.exe 1 TTPs 33 IoCs
pid Process 5148 ping.exe 1332 ping.exe 4104 ping.exe 4988 ping.exe 3668 ping.exe 3288 ping.exe 2416 ping.exe 628 ping.exe 4180 ping.exe 208 ping.exe 4300 ping.exe 4388 ping.exe 1204 ping.exe 3972 ping.exe 4460 ping.exe 5088 ping.exe 776 ping.exe 3012 ping.exe 344 ping.exe 4280 ping.exe 1696 ping.exe 5164 ping.exe 5284 ping.exe 5584 ping.exe 5568 ping.exe 4512 ping.exe 1852 ping.exe 1956 ping.exe 5156 ping.exe 1836 ping.exe 5276 ping.exe 5220 ping.exe 5576 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 392 winlogon.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe 620 services.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 4924 rundll32.exe 2564 rundll32.exe 2008 rundll32.exe 4128 rundll32.exe 3940 rundll32.exe 552 rundll32.exe 3916 rundll32.exe 4048 rundll32.exe 3124 rundll32.exe 4788 rundll32.exe 5456 rundll32.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 640 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe 4960 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe 4336 csrss.exe 4920 csrss.exe 2616 csrss.exe 3396 csrss.exe 1872 dvcv.exe 5104 smss.exe 3744 smss.exe 2364 csrss.exe 2244 csrss.exe 3964 smss.exe 1820 smss.exe 432 lsass.exe 1852 lsass.exe 4072 csrss.exe 2540 csrss.exe 228 smss.exe 3568 smss.exe 4352 lsass.exe 4824 lsass.exe 620 services.exe 3960 services.exe 5000 csrss.exe 1736 csrss.exe 912 smss.exe 2028 smss.exe 4600 lsass.exe 4868 lsass.exe 3524 services.exe 4984 services.exe 392 winlogon.exe 4344 winlogon.exe 3064 csrss.exe 4888 csrss.exe 3504 smss.exe 4488 smss.exe 948 lsass.exe 4860 lsass.exe 3272 services.exe 5072 services.exe 760 winlogon.exe 1280 winlogon.exe 1796 Paraysutki_VM_Community 4664 Paraysutki_VM_Community 1540 winlogon.exe 532 winlogon.exe 4020 csrss.exe 3372 csrss.exe 4924 rundll32.exe 4924 rundll32.exe 2564 rundll32.exe 2564 rundll32.exe 1692 smss.exe 1864 smss.exe 3168 lsass.exe 4680 lsass.exe 4896 services.exe 4556 services.exe 1172 csrss.exe 4104 csrss.exe 1396 smss.exe 1308 smss.exe 5032 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 640 wrote to memory of 4960 640 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe 84 PID 640 wrote to memory of 4960 640 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe 84 PID 640 wrote to memory of 4960 640 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe 84 PID 4960 wrote to memory of 4336 4960 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe 85 PID 4960 wrote to memory of 4336 4960 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe 85 PID 4960 wrote to memory of 4336 4960 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe 85 PID 4336 wrote to memory of 4920 4336 csrss.exe 87 PID 4336 wrote to memory of 4920 4336 csrss.exe 87 PID 4336 wrote to memory of 4920 4336 csrss.exe 87 PID 4920 wrote to memory of 2616 4920 csrss.exe 89 PID 4920 wrote to memory of 2616 4920 csrss.exe 89 PID 4920 wrote to memory of 2616 4920 csrss.exe 89 PID 2616 wrote to memory of 3396 2616 csrss.exe 90 PID 2616 wrote to memory of 3396 2616 csrss.exe 90 PID 2616 wrote to memory of 3396 2616 csrss.exe 90 PID 2616 wrote to memory of 1872 2616 csrss.exe 91 PID 2616 wrote to memory of 1872 2616 csrss.exe 91 PID 2616 wrote to memory of 1872 2616 csrss.exe 91 PID 4920 wrote to memory of 5104 4920 csrss.exe 92 PID 4920 wrote to memory of 5104 4920 csrss.exe 92 PID 4920 wrote to memory of 5104 4920 csrss.exe 92 PID 5104 wrote to memory of 3744 5104 smss.exe 93 PID 5104 wrote to memory of 3744 5104 smss.exe 93 PID 5104 wrote to memory of 3744 5104 smss.exe 93 PID 3744 wrote to memory of 2364 3744 smss.exe 94 PID 3744 wrote to memory of 2364 3744 smss.exe 94 PID 3744 wrote to memory of 2364 3744 smss.exe 94 PID 2364 wrote to memory of 2244 2364 csrss.exe 95 PID 2364 wrote to memory of 2244 2364 csrss.exe 95 PID 2364 wrote to memory of 2244 2364 csrss.exe 95 PID 3744 wrote to memory of 3964 3744 smss.exe 96 PID 3744 wrote to memory of 3964 3744 smss.exe 96 PID 3744 wrote to memory of 3964 3744 smss.exe 96 PID 3964 wrote to memory of 1820 3964 smss.exe 97 PID 3964 wrote to memory of 1820 3964 smss.exe 97 PID 3964 wrote to memory of 1820 3964 smss.exe 97 PID 3744 wrote to memory of 432 3744 smss.exe 98 PID 3744 wrote to memory of 432 3744 smss.exe 98 PID 3744 wrote to memory of 432 3744 smss.exe 98 PID 432 wrote to memory of 1852 432 lsass.exe 99 PID 432 wrote to memory of 1852 432 lsass.exe 99 PID 432 wrote to memory of 1852 432 lsass.exe 99 PID 1852 wrote to memory of 4072 1852 lsass.exe 100 PID 1852 wrote to memory of 4072 1852 lsass.exe 100 PID 1852 wrote to memory of 4072 1852 lsass.exe 100 PID 4072 wrote to memory of 2540 4072 csrss.exe 101 PID 4072 wrote to memory of 2540 4072 csrss.exe 101 PID 4072 wrote to memory of 2540 4072 csrss.exe 101 PID 1852 wrote to memory of 228 1852 lsass.exe 102 PID 1852 wrote to memory of 228 1852 lsass.exe 102 PID 1852 wrote to memory of 228 1852 lsass.exe 102 PID 228 wrote to memory of 3568 228 smss.exe 103 PID 228 wrote to memory of 3568 228 smss.exe 103 PID 228 wrote to memory of 3568 228 smss.exe 103 PID 1852 wrote to memory of 4352 1852 lsass.exe 104 PID 1852 wrote to memory of 4352 1852 lsass.exe 104 PID 1852 wrote to memory of 4352 1852 lsass.exe 104 PID 4352 wrote to memory of 4824 4352 lsass.exe 105 PID 4352 wrote to memory of 4824 4352 lsass.exe 105 PID 4352 wrote to memory of 4824 4352 lsass.exe 105 PID 1852 wrote to memory of 620 1852 lsass.exe 106 PID 1852 wrote to memory of 620 1852 lsass.exe 106 PID 1852 wrote to memory of 620 1852 lsass.exe 106 PID 620 wrote to memory of 3960 620 services.exe 107 -
System policy modification 1 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\2be1515a460d1a1eed83739c8698af6d_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4960 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4920 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3396
-
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dvcv.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\dvcv.exe" csrss6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3744 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2244
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1820
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1852 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2540
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3568
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4824
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3960 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5000 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1736
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:912 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4600 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4868
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3524 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4984
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:392 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4344 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4888
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3504 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4488
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:948 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3272 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5072
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:760 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1280
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4924
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3668
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3012
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:208
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4664
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:344
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3288
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4280
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1540 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:532 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4020 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3372
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1692 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1864
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3168 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4680
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4896 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4556 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4104
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1396 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1308
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5032 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4000
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4936
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2008
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4300
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4388
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
- Loads dropped DLL
PID:4260 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4128
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1332
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:628
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1836
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3440
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3940
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1204
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4104
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1696 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:5032
-
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5000 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵PID:3524
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
- System Location Discovery: System Language Discovery
PID:4520
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵PID:3844
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵PID:808
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵PID:1900
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵PID:2496
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4048 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
- System Location Discovery: System Language Discovery
PID:4824
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
- System Location Discovery: System Language Discovery
PID:3888
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3916
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1852
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4512 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:3476
-
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4988
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵PID:4936
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵PID:1664
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵PID:4160
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:4788
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5148
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5156
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5164
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵PID:1664
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
- Drops file in System32 directory
PID:3892 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe6⤵PID:4020
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:372 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵PID:4108
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- System Location Discovery: System Language Discovery
PID:4244
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵PID:3844
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- System Location Discovery: System Language Discovery
PID:4868
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵PID:636
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- System Location Discovery: System Language Discovery
PID:3476
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵PID:776
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe8⤵PID:2868
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- System Location Discovery: System Language Discovery
PID:4256
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵PID:4616
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:3124
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5220
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5276
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5284
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
- System Location Discovery: System Language Discovery
PID:5228
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
PID:5456
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5568
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5576
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5584
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe3⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵PID:4020
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe3⤵PID:4800
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:1396 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵PID:5012
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵PID:3504
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵PID:4584
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵PID:4616
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵PID:1016
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe6⤵PID:3528
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵PID:4376
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵PID:1664
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
- Drops file in System32 directory
PID:4160
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:552
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5088
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4460 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2560
-
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3972 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4584
-
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3704 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe4⤵
- System Location Discovery: System Language Discovery
PID:4788
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵PID:4020
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵
- System Location Discovery: System Language Discovery
PID:4612
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community3⤵
- System Location Discovery: System Language Discovery
PID:3272
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4048
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:776 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4868
-
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1956
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13403⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4180
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD569beac0954c38e170a6db8c50fe6a055
SHA12b16d43fa9c5d042a030b9267846cf254d47da75
SHA2562f850319eb8dcefbd7d7c2f405c9b5a9e76ca7ebda34751017e2f23c01a00e8e
SHA512c219d6d014898394116b1b19ac330143396af470198334f01b2944049b5bb9fe2c5febfcb040ff6ed2e75416908b7089ff0261b7c7c2029a60c3cae8a01666a1
-
Filesize
76KB
MD5a570aa0fa3e9dcf016095dd9fbf6aa07
SHA123a26b85203167371b550fc2c811e474ab664e73
SHA2562727ecd1cecb34f8f2a9e71be4a889ac05a45f60d5d994b4a82083db34cc478d
SHA512c8724c425d3228656412bf6a802af145522325a6bb26ab717bb2bb14a6115cfcaab90ee76348ba04eff7ad9071610621930f76ca4e3668b74f707f3cbd8d7e95
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
127KB
MD54d279bbc7fbb219243527f16c5067cf0
SHA19bc84abe10d4601da7a9a07d59bde82d43ad8430
SHA256e936ecc91f54883345cfba2ba80f6131b37095056e723e123f32eb8ef2681418
SHA5126810e681e3ffcfa6b57f46c9d7c408f86422c798e193b4801b60d3b00310b2ae91ab5915ab234a9d089ec4e27ffc1057ee71f40fae6e6efb539e363f786f6a67
-
Filesize
76KB
MD5b840b982c9be15e8b60f3879a6bfd69c
SHA130d680770e7632be40c2114b2554383108f8e837
SHA256aca9bb9788849e1ed6a76d4dc0b41b6b1e11d8f81e5ad45bb1e295f5c54ee005
SHA51291822d38bfbd9325719eada5929dd01bfc0b303ccdea871063eafbfd201ab1d50c343ed489c5b056e415fb62b17c0f9fda32e1cbc906c3c60bc2fa74cf231987
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062