a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb

Analysis

max time kernel
64s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Size

205KB
MD5

85cb2600f03138bf625a6476a93b17c6
SHA1

076940d269058b75718ff44ac0ff52d5a84e3dae
SHA256

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb
SHA512

4300dd08959311c4cd1075088da8811144faf8111307f3c69b58ffade3135c34f7e2431facf198689d58ec037a362b25372cb8735e23ac579415020477e7cd09
SSDEEP

3072:OqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:OqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

csrss.exeamhw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	amhw.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

csrss.exeamhw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	amhw.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

amhw.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	amhw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

Executes dropped EXE 45 IoCs

Processes:

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe csrss.execsrss.exe csrss.execsrss.exe amhw.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exelsass.exesmss.exeservices.exesmss.exe lsass.exelsass.exe lsass.exe smss.exe services.exeservices.exe lsass.exeservices.exe lsass.exe services.exeservices.exe winlogon.execsrss.exeservices.exewinlogon.exewinlogon.exeservices.exe winlogon.exe winlogon.exe ~Paraysutki_VM_Community~smss.exewinlogon.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~

pid	process
1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
2040	csrss.exe
1464	csrss.exe
1740	csrss.exe
1976	csrss.exe
1540	amhw.exe
972	smss.exe
1028	smss.exe
1728	csrss.exe
1164	csrss.exe
1652	smss.exe
824	smss.exe
944	lsass.exe
1368	lsass.exe
1560	csrss.exe
1584	csrss.exe
1000	smss.exe
1720	lsass.exe
636	smss.exe
768	services.exe
592	smss.exe
1156	lsass.exe
1976	lsass.exe
780	lsass.exe
1524	smss.exe
1092	services.exe
1888	services.exe
1692	lsass.exe
360	services.exe
1840	lsass.exe
1892	services.exe
1164	services.exe
1660	winlogon.exe
1836	csrss.exe
1040	services.exe
428	winlogon.exe
960	winlogon.exe
1372	services.exe
604	winlogon.exe
1744	winlogon.exe
1816	~Paraysutki_VM_Community~
1588	smss.exe
1192	winlogon.exe
340	~Paraysutki_VM_Community~
1664	~Paraysutki_VM_Community~

Loads dropped DLL 64 IoCs

Processes:

pid	process
1428	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
1428	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
1464	csrss.exe
1464	csrss.exe
1464	csrss.exe
1740	csrss.exe
1740	csrss.exe
1976	csrss.exe
1740	csrss.exe
1740	csrss.exe
1464	csrss.exe
1464	csrss.exe
972	smss.exe
972	smss.exe
972	smss.exe
1028	smss.exe
1028	smss.exe
1028	smss.exe
1728	csrss.exe
1728	csrss.exe
1164	csrss.exe
1028	smss.exe
1028	smss.exe
1652	smss.exe
1652	smss.exe
824	smss.exe
1028	smss.exe
1028	smss.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
1368	lsass.exe
1368	lsass.exe
1368	lsass.exe
1560	csrss.exe
1560	csrss.exe
1584	csrss.exe
1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
1464	csrss.exe
1464	csrss.exe
1368	lsass.exe
1368	lsass.exe
1028	smss.exe
1000	smss.exe
1028	smss.exe
1000	smss.exe
1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
1720	lsass.exe
592	smss.exe
636	smss.exe
1156	lsass.exe
768	services.exe
1156	lsass.exe
1720	lsass.exe
636	smss.exe
1464	csrss.exe
1464	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

amhw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	amhw.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

amhw.exe

description	ioc	process
File opened (read-only)	\??\F:	amhw.exe
File opened (read-only)	\??\K:	amhw.exe
File opened (read-only)	\??\P:	amhw.exe
File opened (read-only)	\??\W:	amhw.exe
File opened (read-only)	\??\T:	amhw.exe
File opened (read-only)	\??\B:	amhw.exe
File opened (read-only)	\??\E:	amhw.exe
File opened (read-only)	\??\G:	amhw.exe
File opened (read-only)	\??\I:	amhw.exe
File opened (read-only)	\??\J:	amhw.exe
File opened (read-only)	\??\Q:	amhw.exe
File opened (read-only)	\??\R:	amhw.exe
File opened (read-only)	\??\U:	amhw.exe
File opened (read-only)	\??\V:	amhw.exe
File opened (read-only)	\??\H:	amhw.exe
File opened (read-only)	\??\N:	amhw.exe
File opened (read-only)	\??\Y:	amhw.exe
File opened (read-only)	\??\L:	amhw.exe
File opened (read-only)	\??\M:	amhw.exe
File opened (read-only)	\??\O:	amhw.exe
File opened (read-only)	\??\S:	amhw.exe
File opened (read-only)	\??\X:	amhw.exe
File opened (read-only)	\??\Z:	amhw.exe

Drops file in System32 directory 64 IoCs

Processes:

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe services.exeservices.exe csrss.exe amhw.exesmss.exesmss.exe smss.exelsass.exe lsass.exewinlogon.execsrss.exesmss.exelsass.exeservices.execsrss.exelsass.exeservices.exea4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.execsrss.exeservices.exe

description	ioc	process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	amhw.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	amhw.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	amhw.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe

Drops file in Program Files directory 34 IoCs

Processes:

amhw.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	amhw.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	amhw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	amhw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	amhw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	amhw.exe

Modifies registry class 36 IoCs

Processes:

csrss.exeamhw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	amhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	amhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	amhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	amhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	amhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	amhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	amhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	amhw.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
1000	ping.exe
608	ping.exe
1736	ping.exe
924	ping.exe
1824	ping.exe
892	ping.exe
1384	ping.exe
696	ping.exe
1472	ping.exe
340	ping.exe
1720	ping.exe
1588	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exelsass.exeservices.exe

pid	process
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
2040	csrss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
972	smss.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
944	lsass.exe
768	services.exe
768	services.exe
768	services.exe
768	services.exe

Suspicious use of SetWindowsHookEx 37 IoCs

Processes:

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exea4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe csrss.execsrss.exe csrss.execsrss.exe amhw.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exelsass.exelsass.exesmss.exeservices.exesmss.exe lsass.exe lsass.exe services.exelsass.exeservices.exe services.exe lsass.exe services.exeservices.exe winlogon.exeservices.exewinlogon.exeservices.exe winlogon.exe

pid	process
1428	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
2040	csrss.exe
1464	csrss.exe
1740	csrss.exe
1976	csrss.exe
1540	amhw.exe
972	smss.exe
1028	smss.exe
1728	csrss.exe
1164	csrss.exe
1652	smss.exe
824	smss.exe
944	lsass.exe
1368	lsass.exe
1560	csrss.exe
1584	csrss.exe
1000	smss.exe
1156	lsass.exe
1720	lsass.exe
636	smss.exe
768	services.exe
592	smss.exe
780	lsass.exe
1976	lsass.exe
1092	services.exe
1692	lsass.exe
360	services.exe
1888	services.exe
1840	lsass.exe
1892	services.exe
1164	services.exe
1660	winlogon.exe
1040	services.exe
960	winlogon.exe
1372	services.exe
1744	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1428 wrote to memory of 1280	1428	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
PID 1428 wrote to memory of 1280	1428	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
PID 1428 wrote to memory of 1280	1428	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
PID 1428 wrote to memory of 1280	1428	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
PID 1280 wrote to memory of 2040	1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	csrss.exe
PID 1280 wrote to memory of 2040	1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	csrss.exe
PID 1280 wrote to memory of 2040	1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	csrss.exe
PID 1280 wrote to memory of 2040	1280	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	csrss.exe
PID 2040 wrote to memory of 1464	2040	csrss.exe	csrss.exe
PID 2040 wrote to memory of 1464	2040	csrss.exe	csrss.exe
PID 2040 wrote to memory of 1464	2040	csrss.exe	csrss.exe
PID 2040 wrote to memory of 1464	2040	csrss.exe	csrss.exe
PID 1464 wrote to memory of 1740	1464	csrss.exe	csrss.exe
PID 1464 wrote to memory of 1740	1464	csrss.exe	csrss.exe
PID 1464 wrote to memory of 1740	1464	csrss.exe	csrss.exe
PID 1464 wrote to memory of 1740	1464	csrss.exe	csrss.exe
PID 1740 wrote to memory of 1976	1740	csrss.exe	csrss.exe
PID 1740 wrote to memory of 1976	1740	csrss.exe	csrss.exe
PID 1740 wrote to memory of 1976	1740	csrss.exe	csrss.exe
PID 1740 wrote to memory of 1976	1740	csrss.exe	csrss.exe
PID 1740 wrote to memory of 1540	1740	csrss.exe	amhw.exe
PID 1740 wrote to memory of 1540	1740	csrss.exe	amhw.exe
PID 1740 wrote to memory of 1540	1740	csrss.exe	amhw.exe
PID 1740 wrote to memory of 1540	1740	csrss.exe	amhw.exe
PID 1464 wrote to memory of 972	1464	csrss.exe	smss.exe
PID 1464 wrote to memory of 972	1464	csrss.exe	smss.exe
PID 1464 wrote to memory of 972	1464	csrss.exe	smss.exe
PID 1464 wrote to memory of 972	1464	csrss.exe	smss.exe
PID 972 wrote to memory of 1028	972	smss.exe	smss.exe
PID 972 wrote to memory of 1028	972	smss.exe	smss.exe
PID 972 wrote to memory of 1028	972	smss.exe	smss.exe
PID 972 wrote to memory of 1028	972	smss.exe	smss.exe
PID 1028 wrote to memory of 1728	1028	smss.exe	csrss.exe
PID 1028 wrote to memory of 1728	1028	smss.exe	csrss.exe
PID 1028 wrote to memory of 1728	1028	smss.exe	csrss.exe
PID 1028 wrote to memory of 1728	1028	smss.exe	csrss.exe
PID 1728 wrote to memory of 1164	1728	csrss.exe	csrss.exe
PID 1728 wrote to memory of 1164	1728	csrss.exe	csrss.exe
PID 1728 wrote to memory of 1164	1728	csrss.exe	csrss.exe
PID 1728 wrote to memory of 1164	1728	csrss.exe	csrss.exe
PID 1028 wrote to memory of 1652	1028	smss.exe	smss.exe
PID 1028 wrote to memory of 1652	1028	smss.exe	smss.exe
PID 1028 wrote to memory of 1652	1028	smss.exe	smss.exe
PID 1028 wrote to memory of 1652	1028	smss.exe	smss.exe
PID 1652 wrote to memory of 824	1652	smss.exe	smss.exe
PID 1652 wrote to memory of 824	1652	smss.exe	smss.exe
PID 1652 wrote to memory of 824	1652	smss.exe	smss.exe
PID 1652 wrote to memory of 824	1652	smss.exe	smss.exe
PID 1028 wrote to memory of 944	1028	smss.exe	lsass.exe
PID 1028 wrote to memory of 944	1028	smss.exe	lsass.exe
PID 1028 wrote to memory of 944	1028	smss.exe	lsass.exe
PID 1028 wrote to memory of 944	1028	smss.exe	lsass.exe
PID 944 wrote to memory of 1368	944	lsass.exe	lsass.exe
PID 944 wrote to memory of 1368	944	lsass.exe	lsass.exe
PID 944 wrote to memory of 1368	944	lsass.exe	lsass.exe
PID 944 wrote to memory of 1368	944	lsass.exe	lsass.exe
PID 1368 wrote to memory of 1560	1368	lsass.exe	csrss.exe
PID 1368 wrote to memory of 1560	1368	lsass.exe	csrss.exe
PID 1368 wrote to memory of 1560	1368	lsass.exe	csrss.exe
PID 1368 wrote to memory of 1560	1368	lsass.exe	csrss.exe
PID 1560 wrote to memory of 1584	1560	csrss.exe	csrss.exe
PID 1560 wrote to memory of 1584	1560	csrss.exe	csrss.exe
PID 1560 wrote to memory of 1584	1560	csrss.exe	csrss.exe
PID 1560 wrote to memory of 1584	1560	csrss.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
"C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1976

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\amhw.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\amhw.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:824

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
- Executes dropped EXE
PID:1524

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
9⤵
- Executes dropped EXE
PID:1192

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
9⤵
PID:972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
PID:1976

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:1736

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:1472

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
9⤵
- Runs ping.exe
PID:924

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
9⤵
PID:948

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
9⤵
PID:1084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
9⤵
PID:1696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
9⤵
PID:828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
9⤵
PID:892

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
9⤵
PID:636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:768

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
- Executes dropped EXE
PID:1836

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
PID:1808

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
PID:756

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
PID:1956

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
PID:892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
9⤵
PID:1396

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
10⤵
PID:1156

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
9⤵
PID:1772

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
9⤵
PID:976

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
PID:936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
9⤵
PID:1984

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
9⤵
- Runs ping.exe
PID:892

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:1384

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:1000

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
9⤵
PID:1944

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Executes dropped EXE
PID:428

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
PID:540

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
- Executes dropped EXE
PID:340

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
PID:1248

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:608

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:696

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:1824

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:1728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:1984

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:1428

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:576

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:612

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:360

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
PID:604

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
PID:1816

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
PID:1960

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:340

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:268

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:1720

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1588

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:1232

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:1756

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:592

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:780

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:960

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
3⤵
- Executes dropped EXE
PID:1664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
PID:1036

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\amhw.exe
Filesize
76KB

MD5
843963f5b357e7fb1b9b0472c6e92a52

SHA1
88f4677c5c192dc72be14502e1a1bb1775378d10

SHA256
6125303ac25ae093d78eb96bfb1a7fc1e0d49f954eb7f4279979d4cafad72c02

SHA512
0854980fb41cbdf57087f9d27ed6aad0991cdf3f90041335849a6bbfa3f1bea32c4aa8280112d89c9bc6d9eda6f980a6a20986baedf799e5405dc7b61cd55a45

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\amhw.exe
Filesize
76KB

MD5
843963f5b357e7fb1b9b0472c6e92a52

SHA1
88f4677c5c192dc72be14502e1a1bb1775378d10

SHA256
6125303ac25ae093d78eb96bfb1a7fc1e0d49f954eb7f4279979d4cafad72c02

SHA512
0854980fb41cbdf57087f9d27ed6aad0991cdf3f90041335849a6bbfa3f1bea32c4aa8280112d89c9bc6d9eda6f980a6a20986baedf799e5405dc7b61cd55a45

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
Filesize
76KB

MD5
0d7f485c39366fc8a6c4efad604abd65

SHA1
761f9f7a92a74cc75ea7a9d496065e5b14321c6d

SHA256
3b833b5c8afb66d5dd89a235d9b0eacfc2d192ae0f3dc54e59231bf35a77236c

SHA512
b7a65861f4fb385775324fcdbc8b45d8fdf0348509f955e6b0983ac5ac79c0e6d441350d6ce07eafd751888fb19f16d4ed36ae2a1851f914d1f8125ae909a8cf

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\amhw.exe
Filesize
76KB

MD5
843963f5b357e7fb1b9b0472c6e92a52

SHA1
88f4677c5c192dc72be14502e1a1bb1775378d10

SHA256
6125303ac25ae093d78eb96bfb1a7fc1e0d49f954eb7f4279979d4cafad72c02

SHA512
0854980fb41cbdf57087f9d27ed6aad0991cdf3f90041335849a6bbfa3f1bea32c4aa8280112d89c9bc6d9eda6f980a6a20986baedf799e5405dc7b61cd55a45

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\amhw.exe
Filesize
76KB

MD5
843963f5b357e7fb1b9b0472c6e92a52

SHA1
88f4677c5c192dc72be14502e1a1bb1775378d10

SHA256
6125303ac25ae093d78eb96bfb1a7fc1e0d49f954eb7f4279979d4cafad72c02

SHA512
0854980fb41cbdf57087f9d27ed6aad0991cdf3f90041335849a6bbfa3f1bea32c4aa8280112d89c9bc6d9eda6f980a6a20986baedf799e5405dc7b61cd55a45

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4eea95e48ef40ec0a2d15f51b305cd7f

SHA1
23ac8432c1de602832388167663e2a6ded213a34

SHA256
1e46d8019f90d2c0cf3a7e04d8b84428f5c4e1e1dd1f13dea9401e51ef03554c

SHA512
402f25a07c3892d0f8fca1d97d3a411f76dbe28e472ebd31a3b6cae2e6b62338d24c4557edaef6154833f1e41e104db8fae5b415563a704c22a0a1530df468a0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/340-277-0x0000000000000000-mapping.dmp

Download
memory/360-245-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/360-225-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/360-214-0x0000000000000000-mapping.dmp

Download
memory/428-246-0x0000000000000000-mapping.dmp

Download
memory/540-310-0x0000000000000000-mapping.dmp

Download
memory/592-189-0x0000000000000000-mapping.dmp

Download
memory/592-200-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/592-238-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/604-264-0x0000000000000000-mapping.dmp

Download
memory/608-330-0x0000000000000000-mapping.dmp

Download
memory/636-184-0x0000000000000000-mapping.dmp

Download
memory/696-332-0x0000000000000000-mapping.dmp

Download
memory/756-289-0x0000000000000000-mapping.dmp

Download
memory/768-227-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/768-226-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/768-254-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/768-255-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/768-186-0x0000000000000000-mapping.dmp

Download
memory/780-271-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/780-197-0x0000000000000000-mapping.dmp

Download
memory/780-240-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/824-161-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/824-154-0x0000000000000000-mapping.dmp

Download
memory/892-328-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/892-317-0x0000000000000000-mapping.dmp

Download
memory/892-336-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/924-333-0x0000000000000000-mapping.dmp

Download
memory/944-180-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/944-179-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/944-164-0x0000000000000000-mapping.dmp

Download
memory/944-185-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/960-250-0x0000000000000000-mapping.dmp

Download
memory/972-288-0x0000000000000000-mapping.dmp

Download
memory/972-155-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/972-116-0x0000000000000000-mapping.dmp

Download
memory/976-335-0x0000000000000000-mapping.dmp

Download
memory/1000-182-0x0000000000000000-mapping.dmp

Download
memory/1028-362-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1028-124-0x0000000000000000-mapping.dmp

Download
memory/1028-156-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1036-303-0x0000000000000000-mapping.dmp

Download
memory/1040-244-0x0000000000000000-mapping.dmp

Download
memory/1040-263-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1092-253-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1092-206-0x0000000000000000-mapping.dmp

Download
memory/1156-190-0x0000000000000000-mapping.dmp

Download
memory/1164-237-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1164-138-0x0000000000000000-mapping.dmp

Download
memory/1164-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1164-257-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1164-233-0x0000000000000000-mapping.dmp

Download
memory/1192-276-0x0000000000000000-mapping.dmp

Download
memory/1248-309-0x0000000000000000-mapping.dmp

Download
memory/1280-102-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1280-58-0x0000000000000000-mapping.dmp

Download
memory/1280-295-0x0000000074C41000-0x0000000074C43000-memory.dmp

Filesize
8KB

Download
memory/1368-169-0x0000000000000000-mapping.dmp

Download
memory/1368-356-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1368-181-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1372-282-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1372-262-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1372-260-0x0000000000000000-mapping.dmp

Download
memory/1396-302-0x0000000000000000-mapping.dmp

Download
memory/1396-360-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1428-101-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1428-100-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1464-74-0x0000000000000000-mapping.dmp

Download
memory/1464-103-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1472-331-0x0000000000000000-mapping.dmp

Download
memory/1524-205-0x0000000000000000-mapping.dmp

Download
memory/1540-106-0x0000000000000000-mapping.dmp

Download
memory/1560-172-0x0000000000000000-mapping.dmp

Download
memory/1584-178-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1584-175-0x0000000000000000-mapping.dmp

Download
memory/1588-275-0x0000000000000000-mapping.dmp

Download
memory/1588-292-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1652-146-0x0000000000000000-mapping.dmp

Download
memory/1660-243-0x0000000000000000-mapping.dmp

Download
memory/1664-281-0x0000000000000000-mapping.dmp

Download
memory/1692-216-0x0000000000000000-mapping.dmp

Download
memory/1720-183-0x0000000000000000-mapping.dmp

Download
memory/1728-131-0x0000000000000000-mapping.dmp

Download
memory/1736-329-0x0000000000000000-mapping.dmp

Download
memory/1740-86-0x0000000000000000-mapping.dmp

Download
memory/1740-113-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1744-286-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1744-272-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1744-270-0x0000000000000000-mapping.dmp

Download
memory/1772-323-0x0000000000000000-mapping.dmp

Download
memory/1808-304-0x0000000000000000-mapping.dmp

Download
memory/1808-344-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-274-0x0000000000000000-mapping.dmp

Download
memory/1824-334-0x0000000000000000-mapping.dmp

Download
memory/1836-311-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1836-241-0x0000000000000000-mapping.dmp

Download
memory/1840-261-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1840-222-0x0000000000000000-mapping.dmp

Download
memory/1840-256-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1888-215-0x0000000000000000-mapping.dmp

Download
memory/1888-224-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1888-252-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1892-236-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1892-273-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1892-230-0x0000000000000000-mapping.dmp

Download
memory/1956-290-0x0000000000000000-mapping.dmp

Download
memory/1960-307-0x0000000000000000-mapping.dmp

Download
memory/1976-99-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-242-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-94-0x0000000000000000-mapping.dmp

Download
memory/1976-201-0x0000000000000000-mapping.dmp

Download
memory/1976-239-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-204-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-308-0x0000000000000000-mapping.dmp

Download
memory/2040-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads