a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82

Analysis

max time kernel
150s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Size

205KB
MD5

61fa3c8fad63f911bc09c0f3400e2954
SHA1

f493e29f2e184723916b4bbf7622eb4d99f77798
SHA256

a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82
SHA512

c4fe89e89b50cba43e4eed9e3ebe6954ae9733a60c9c90d2b53e0dec6ea57390120f1ea25a318de6c5481de63ee2cee19a945c57988a69891a6f0fed9761d941
SSDEEP

3072:zqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:zqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe

Modifies system executable filetype association 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hscw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hscw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe

UAC bypass 3 TTPs 7 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe

Disables RegEdit via registry modification 7 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
2032	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
2024	csrss.exe
1632	csrss.exe
336	csrss.exe
764	csrss.exe
824	hscw.exe
780	smss.exe
1680	smss.exe
1964	csrss.exe
1360	csrss.exe
1468	smss.exe
956	smss.exe
1228	lsass.exe
1412	lsass.exe
872	csrss.exe
676	csrss.exe
1076	smss.exe
1604	smss.exe
1988	lsass.exe
1672	lsass.exe
1476	services.exe
1820	services.exe
1780	csrss.exe
988	csrss.exe
2012	smss.exe
580	smss.exe
904	lsass.exe
764	lsass.exe
1300	services.exe
740	services.exe
1292	winlogon.exe
1668	winlogon.exe
1220	csrss.exe
1316	csrss.exe
1084	smss.exe
1360	smss.exe
1080	lsass.exe
2016	lsass.exe
852	services.exe
2008	services.exe
1252	winlogon.exe
528	winlogon.exe
1976	~Paraysutki_VM_Community~
1676	~Paraysutki_VM_Community~
572	smss.exe
904	smss.exe
336	lsass.exe
1756	lsass.exe
1964	services.exe
1084	services.exe
664	winlogon.exe
1080	winlogon.exe
1748	lsass.exe
1640	lsass.exe
1812	csrss.exe
1500	csrss.exe
1976	services.exe
788	smss.exe
1612	services.exe
1896	winlogon.exe
1624	smss.exe
1980	services.exe
1628	winlogon.exe
900	services.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	winlogon.exe

Loads dropped DLL 64 IoCs

pid	Process
1488	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
1488	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
2032	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
2032	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
1632	csrss.exe
1632	csrss.exe
1632	csrss.exe
336	csrss.exe
336	csrss.exe
764	csrss.exe
336	csrss.exe
336	csrss.exe
1632	csrss.exe
1632	csrss.exe
780	smss.exe
780	smss.exe
780	smss.exe
1680	smss.exe
1680	smss.exe
1680	smss.exe
1964	csrss.exe
1964	csrss.exe
1360	csrss.exe
1680	smss.exe
1680	smss.exe
1468	smss.exe
1468	smss.exe
956	smss.exe
1680	smss.exe
1680	smss.exe
1228	lsass.exe
1228	lsass.exe
1228	lsass.exe
1412	lsass.exe
1412	lsass.exe
1412	lsass.exe
872	csrss.exe
872	csrss.exe
676	csrss.exe
1412	lsass.exe
1412	lsass.exe
1076	smss.exe
1076	smss.exe
1604	smss.exe
1412	lsass.exe
1412	lsass.exe
1988	lsass.exe
1988	lsass.exe
1672	lsass.exe
1412	lsass.exe
1412	lsass.exe
1476	services.exe
1476	services.exe
1476	services.exe
1820	services.exe
1820	services.exe
1820	services.exe
1780	csrss.exe
1780	csrss.exe
988	csrss.exe
1820	services.exe

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	hscw.exe
File opened (read-only)	\??\M:	hscw.exe
File opened (read-only)	\??\N:	hscw.exe
File opened (read-only)	\??\W:	hscw.exe
File opened (read-only)	\??\Y:	hscw.exe
File opened (read-only)	\??\Z:	hscw.exe
File opened (read-only)	\??\B:	hscw.exe
File opened (read-only)	\??\F:	hscw.exe
File opened (read-only)	\??\O:	hscw.exe
File opened (read-only)	\??\S:	hscw.exe
File opened (read-only)	\??\U:	hscw.exe
File opened (read-only)	\??\X:	hscw.exe
File opened (read-only)	\??\T:	hscw.exe
File opened (read-only)	\??\G:	hscw.exe
File opened (read-only)	\??\I:	hscw.exe
File opened (read-only)	\??\K:	hscw.exe
File opened (read-only)	\??\L:	hscw.exe
File opened (read-only)	\??\P:	hscw.exe
File opened (read-only)	\??\R:	hscw.exe
File opened (read-only)	\??\E:	hscw.exe
File opened (read-only)	\??\H:	hscw.exe
File opened (read-only)	\??\Q:	hscw.exe
File opened (read-only)	\??\V:	hscw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\Desktop.sysm	hscw.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	hscw.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	hscw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	hscw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	hscw.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	hscw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	hscw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	hscw.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	services.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	hscw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	hscw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	hscw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	hscw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	hscw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	hscw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	hscw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	hscw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe

Runs ping.exe 1 TTPs 21 IoCs

Remote System Discovery

T1018

pid	Process
528	ping.exe
1152	ping.exe
676	ping.exe
2216	ping.exe
1884	ping.exe
904	ping.exe
1980	ping.exe
2224	ping.exe
2208	ping.exe
2404	ping.exe
2420	ping.exe
1988	ping.exe
1764	ping.exe
2412	ping.exe
1672	ping.exe
1464	ping.exe
1084	ping.exe
560	ping.exe
1632	ping.exe
952	ping.exe
1880	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
1292	winlogon.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe
2024	csrss.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1488	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
2032	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
2024	csrss.exe
1632	csrss.exe
336	csrss.exe
764	csrss.exe
824	hscw.exe
780	smss.exe
1680	smss.exe
1964	csrss.exe
1360	csrss.exe
1468	smss.exe
956	smss.exe
1228	lsass.exe
1412	lsass.exe
872	csrss.exe
676	csrss.exe
1076	smss.exe
1604	smss.exe
1988	lsass.exe
1672	lsass.exe
1476	services.exe
1820	services.exe
1780	csrss.exe
988	csrss.exe
2012	smss.exe
580	smss.exe
904	lsass.exe
764	lsass.exe
1300	services.exe
740	services.exe
1292	winlogon.exe
1668	winlogon.exe
1220	csrss.exe
1316	csrss.exe
1084	smss.exe
1360	smss.exe
1080	lsass.exe
2016	lsass.exe
852	services.exe
2008	services.exe
1252	winlogon.exe
528	winlogon.exe
1976	~Paraysutki_VM_Community~
1676	~Paraysutki_VM_Community~
572	smss.exe
904	smss.exe
336	lsass.exe
1756	lsass.exe
1964	services.exe
1084	services.exe
664	winlogon.exe
1080	winlogon.exe
1748	lsass.exe
1640	lsass.exe
1812	csrss.exe
1500	csrss.exe
1976	services.exe
1612	services.exe
788	smss.exe
1896	winlogon.exe
1980	services.exe
1628	winlogon.exe
1624	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2032	1488	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe	26
PID 1488 wrote to memory of 2032	1488	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe	26
PID 1488 wrote to memory of 2032	1488	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe	26
PID 1488 wrote to memory of 2032	1488	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe	26
PID 2032 wrote to memory of 2024	2032	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe	27
PID 2032 wrote to memory of 2024	2032	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe	27
PID 2032 wrote to memory of 2024	2032	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe	27
PID 2032 wrote to memory of 2024	2032	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe	27
PID 2024 wrote to memory of 1632	2024	csrss.exe	28
PID 2024 wrote to memory of 1632	2024	csrss.exe	28
PID 2024 wrote to memory of 1632	2024	csrss.exe	28
PID 2024 wrote to memory of 1632	2024	csrss.exe	28
PID 1632 wrote to memory of 336	1632	csrss.exe	29
PID 1632 wrote to memory of 336	1632	csrss.exe	29
PID 1632 wrote to memory of 336	1632	csrss.exe	29
PID 1632 wrote to memory of 336	1632	csrss.exe	29
PID 336 wrote to memory of 764	336	csrss.exe	30
PID 336 wrote to memory of 764	336	csrss.exe	30
PID 336 wrote to memory of 764	336	csrss.exe	30
PID 336 wrote to memory of 764	336	csrss.exe	30
PID 336 wrote to memory of 824	336	csrss.exe	31
PID 336 wrote to memory of 824	336	csrss.exe	31
PID 336 wrote to memory of 824	336	csrss.exe	31
PID 336 wrote to memory of 824	336	csrss.exe	31
PID 1632 wrote to memory of 780	1632	csrss.exe	32
PID 1632 wrote to memory of 780	1632	csrss.exe	32
PID 1632 wrote to memory of 780	1632	csrss.exe	32
PID 1632 wrote to memory of 780	1632	csrss.exe	32
PID 780 wrote to memory of 1680	780	smss.exe	33
PID 780 wrote to memory of 1680	780	smss.exe	33
PID 780 wrote to memory of 1680	780	smss.exe	33
PID 780 wrote to memory of 1680	780	smss.exe	33
PID 1680 wrote to memory of 1964	1680	smss.exe	34
PID 1680 wrote to memory of 1964	1680	smss.exe	34
PID 1680 wrote to memory of 1964	1680	smss.exe	34
PID 1680 wrote to memory of 1964	1680	smss.exe	34
PID 1964 wrote to memory of 1360	1964	csrss.exe	35
PID 1964 wrote to memory of 1360	1964	csrss.exe	35
PID 1964 wrote to memory of 1360	1964	csrss.exe	35
PID 1964 wrote to memory of 1360	1964	csrss.exe	35
PID 1680 wrote to memory of 1468	1680	smss.exe	36
PID 1680 wrote to memory of 1468	1680	smss.exe	36
PID 1680 wrote to memory of 1468	1680	smss.exe	36
PID 1680 wrote to memory of 1468	1680	smss.exe	36
PID 1468 wrote to memory of 956	1468	smss.exe	37
PID 1468 wrote to memory of 956	1468	smss.exe	37
PID 1468 wrote to memory of 956	1468	smss.exe	37
PID 1468 wrote to memory of 956	1468	smss.exe	37
PID 1680 wrote to memory of 1228	1680	smss.exe	38
PID 1680 wrote to memory of 1228	1680	smss.exe	38
PID 1680 wrote to memory of 1228	1680	smss.exe	38
PID 1680 wrote to memory of 1228	1680	smss.exe	38
PID 1228 wrote to memory of 1412	1228	lsass.exe	39
PID 1228 wrote to memory of 1412	1228	lsass.exe	39
PID 1228 wrote to memory of 1412	1228	lsass.exe	39
PID 1228 wrote to memory of 1412	1228	lsass.exe	39
PID 1412 wrote to memory of 872	1412	lsass.exe	40
PID 1412 wrote to memory of 872	1412	lsass.exe	40
PID 1412 wrote to memory of 872	1412	lsass.exe	40
PID 1412 wrote to memory of 872	1412	lsass.exe	40
PID 872 wrote to memory of 676	872	csrss.exe	41
PID 872 wrote to memory of 676	872	csrss.exe	41
PID 872 wrote to memory of 676	872	csrss.exe	41
PID 872 wrote to memory of 676	872	csrss.exe	41

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe

C:\Users\Admin\AppData\Local\Temp\a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
"C:\Users\Admin\AppData\Local\Temp\a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
  C:\Users\Admin\AppData\Local\Temp\a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2032
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1632
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:764
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\hscw.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\hscw.exe" csrss
        6⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:824
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1680
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1412
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:676
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:528
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:1672
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:1988
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        13⤵
        Runs ping.exe
        
        PID:1464
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        13⤵
        
        PID:548
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        13⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        13⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        13⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        13⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        13⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        
        PID:944
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        11⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        11⤵
        Runs ping.exe
        
        PID:952
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:676
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:1880
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        11⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        11⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        11⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        11⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        11⤵
        
        PID:844
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        9⤵
        
        PID:952
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        10⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        9⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2404
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        9⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        9⤵
        Runs ping.exe
        
        PID:2420
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2412
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        9⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        9⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        9⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        9⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        9⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        
        PID:584
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:1152
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:904
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1084
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:740
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1748
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1640
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1896
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Drops file in System32 directory
        
        PID:972
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        
        PID:292
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:1884
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:1764
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:528
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:1880
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:112
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:616
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:1708
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:572
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:904
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:336
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1756
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1964
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1084
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:664
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1080
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1812
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:788
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        
        PID:764
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        
        PID:1300
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        
        PID:1668
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        
        PID:1572
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Drops file in System32 directory
        
        PID:1628
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        
        PID:1676
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:560
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:1980
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:1632
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:2016
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:844
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:616
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:844
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:1300
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2216
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1210
    3⤵
    - Runs ping.exe
    PID:2224
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2208
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im tati.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im wscript.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im sys.exe
    3⤵
    PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\hscw.exe

Filesize
76KB

MD5
58cfacca5410b803dc0ef24b5b88fe31

SHA1
86600ec1e27f1efa1afa63e4d40ef915c4d99a2a

SHA256
7d084c34ac3fd14218bff6ab1073e4e1dc62bed9a6220a43fb4ebb6e38e79382

SHA512
c14915cc1e937ebebee4770edd2d1927e6b9cafc381f392177b798ce24897051bfe06b8aef7344c3d0e40e3b60e6372cf6f4011a31ddbbc4c0787524484e6cd8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\hscw.exe

Filesize
76KB

MD5
58cfacca5410b803dc0ef24b5b88fe31

SHA1
86600ec1e27f1efa1afa63e4d40ef915c4d99a2a

SHA256
7d084c34ac3fd14218bff6ab1073e4e1dc62bed9a6220a43fb4ebb6e38e79382

SHA512
c14915cc1e937ebebee4770edd2d1927e6b9cafc381f392177b798ce24897051bfe06b8aef7344c3d0e40e3b60e6372cf6f4011a31ddbbc4c0787524484e6cd8

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
a3f35ebd41036042ae2d6cf91a7a4a9a

SHA1
41dae12d240b0b2f74eea15eeaf6c28184510758

SHA256
e6385420df45012716ce6e7df26d3397c5a38391dae0cd1ddd274d2e7f5cd7af

SHA512
a8276167ac8d959adb93210bb2aafb2d54f2d04b714f31a8b59653e76d7eb5f93464efbee9a74331607304ab3d3b06c5ed29bda57b2870419e69ae8d785c852f

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\a495d227efce6211a9d123b40d96cd47251746e4e716048b1a365235fd7e3c82.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\hscw.exe

Filesize
76KB

MD5
58cfacca5410b803dc0ef24b5b88fe31

SHA1
86600ec1e27f1efa1afa63e4d40ef915c4d99a2a

SHA256
7d084c34ac3fd14218bff6ab1073e4e1dc62bed9a6220a43fb4ebb6e38e79382

SHA512
c14915cc1e937ebebee4770edd2d1927e6b9cafc381f392177b798ce24897051bfe06b8aef7344c3d0e40e3b60e6372cf6f4011a31ddbbc4c0787524484e6cd8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\hscw.exe

Filesize
76KB

MD5
58cfacca5410b803dc0ef24b5b88fe31

SHA1
86600ec1e27f1efa1afa63e4d40ef915c4d99a2a

SHA256
7d084c34ac3fd14218bff6ab1073e4e1dc62bed9a6220a43fb4ebb6e38e79382

SHA512
c14915cc1e937ebebee4770edd2d1927e6b9cafc381f392177b798ce24897051bfe06b8aef7344c3d0e40e3b60e6372cf6f4011a31ddbbc4c0787524484e6cd8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
783e0d56a334b6cdddd857f3b6e58500

SHA1
36e981dc5f82436f5f88a272ca9bcc3eb8a355e6

SHA256
aa2095d90c2c202f4c7b2d77ad3551e48a1b72bfdf27e5def3f4e7af81b63f44

SHA512
3a3eb62e9146c6fc3a011527d3b29517d431f4054b30d57398ff2e0cdc7aed8d15845d216fb325b8a1fb5f27d8814d23b961cfed2d3ae346c4092e20d6af7ccb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/336-313-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/528-271-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/580-213-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/676-179-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/740-230-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/764-374-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/764-220-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/764-102-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/780-159-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/780-160-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/872-180-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/900-361-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/904-299-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/956-161-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/988-206-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1080-341-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1080-436-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1220-388-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1228-221-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1292-276-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/1292-275-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/1300-384-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1300-377-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1316-243-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1360-250-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1360-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1412-223-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1448-375-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/1488-63-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/1488-62-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/1500-340-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1512-385-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1512-376-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1624-359-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1628-406-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1632-113-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1632-409-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-317-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-278-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1668-277-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1672-193-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1676-410-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1676-407-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1680-162-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1756-314-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1756-319-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-342-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1820-438-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1820-225-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2008-264-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2016-257-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2024-112-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/2032-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2032-373-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2032-445-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download