9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219

Analysis

max time kernel
152s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Size

163KB
MD5

d7698c2f7324e6b8ee0b43b66543b7db
SHA1

ace8f658a1c9e164911faaba6c2fccefea29e9b2
SHA256

9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219
SHA512

3667ccd392c8747cce3a119a077e1d75edbef8acb59b968391ab7f777b4cc241df8d2138f566bce22cbf431c709076336301bd74be9cf9364a4c66af108ca06a
SSDEEP

3072:EqhMPsVMYjUtQl78voutbzoI7h+aS1Gnf:EqhMPsFjU2F8voSbzo0naGf

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

services.exe winlogon.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe csrss.exe smss.exe lsass.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

csrss.exe smss.exe lsass.exe services.exe csrss.exevcnv.exewinlogon.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

vcnv.exewinlogon.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe csrss.exe smss.exe lsass.exe services.exe csrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	vcnv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

csrss.exevcnv.exewinlogon.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe csrss.exe smss.exe lsass.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vcnv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winlogon.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe csrss.exe smss.exe lsass.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

csrss.exe smss.exe lsass.exe services.exe winlogon.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe csrss.execsrss.exe csrss.execsrss.exe vcnv.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe smss.exelsass.exesmss.exe lsass.exe services.exelsass.exeservices.exe lsass.exe winlogon.exewinlogon.exe services.exeservices.exe Paraysutki_VM_Communitywinlogon.exewinlogon.exe Paraysutki_VM_Communitylsass.exelsass.exe services.exeservices.exe services.exeservices.exe winlogon.exewinlogon.exe winlogon.exewinlogon.exe Paraysutki_VM_CommunityParaysutki_VM_Community

pid	process
3996	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
3092	csrss.exe
3864	csrss.exe
3376	csrss.exe
2376	csrss.exe
1444	vcnv.exe
4112	smss.exe
4712	smss.exe
936	csrss.exe
2408	csrss.exe
2312	smss.exe
4448	smss.exe
4988	lsass.exe
4884	lsass.exe
4320	csrss.exe
2784	csrss.exe
1216	smss.exe
2024	smss.exe
3684	lsass.exe
3292	lsass.exe
916	services.exe
4984	services.exe
3644	csrss.exe
4432	csrss.exe
1228	smss.exe
4516	smss.exe
3392	lsass.exe
4204	lsass.exe
3412	services.exe
3228	services.exe
1096	winlogon.exe
3760	winlogon.exe
4584	csrss.exe
364	csrss.exe
2976	smss.exe
1480	smss.exe
4480	smss.exe
4788	lsass.exe
4900	smss.exe
4400	lsass.exe
1080	services.exe
2676	lsass.exe
4552	services.exe
4912	lsass.exe
1184	winlogon.exe
4216	winlogon.exe
4336	services.exe
3852	services.exe
4920	Paraysutki_VM_Community
3968	winlogon.exe
4700	winlogon.exe
2908	Paraysutki_VM_Community
4344	lsass.exe
2968	lsass.exe
4392	services.exe
4948	services.exe
2788	services.exe
448	services.exe
2784	winlogon.exe
4160	winlogon.exe
2688	winlogon.exe
4440	winlogon.exe
4200	Paraysutki_VM_Community
1468	Paraysutki_VM_Community

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

services.exe winlogon.exe smss.exe lsass.exe csrss.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	services.exe

Loads dropped DLL 64 IoCs

Processes:

csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe smss.exelsass.exesmss.exe lsass.exe services.exelsass.exeservices.exe lsass.exe winlogon.exewinlogon.exe services.exeservices.exe Paraysutki_VM_Communitywinlogon.exewinlogon.exe Paraysutki_VM_Communitylsass.exelsass.exe services.exeservices.exe services.exeservices.exe winlogon.exewinlogon.exe winlogon.exewinlogon.exe Paraysutki_VM_CommunityParaysutki_VM_Communitywinlogon.exewinlogon.exe

pid	process
3092	csrss.exe
3864	csrss.exe
3376	csrss.exe
2376	csrss.exe
4112	smss.exe
4712	smss.exe
936	csrss.exe
2408	csrss.exe
2312	smss.exe
4448	smss.exe
4988	lsass.exe
4884	lsass.exe
4320	csrss.exe
2784	csrss.exe
1216	smss.exe
2024	smss.exe
3684	lsass.exe
3292	lsass.exe
916	services.exe
4984	services.exe
3644	csrss.exe
4432	csrss.exe
1228	smss.exe
4516	smss.exe
3392	lsass.exe
4204	lsass.exe
3412	services.exe
3228	services.exe
1096	winlogon.exe
3760	winlogon.exe
4584	csrss.exe
364	csrss.exe
2976	smss.exe
1480	smss.exe
4480	smss.exe
4788	lsass.exe
4900	smss.exe
4400	lsass.exe
1080	services.exe
2676	lsass.exe
4552	services.exe
4912	lsass.exe
1184	winlogon.exe
4216	winlogon.exe
4336	services.exe
3852	services.exe
4920	Paraysutki_VM_Community
3968	winlogon.exe
4700	winlogon.exe
2908	Paraysutki_VM_Community
4344	lsass.exe
2968	lsass.exe
4392	services.exe
4948	services.exe
2788	services.exe
448	services.exe
2784	winlogon.exe
4160	winlogon.exe
2688	winlogon.exe
4440	winlogon.exe
4200	Paraysutki_VM_Community
1468	Paraysutki_VM_Community
1704	winlogon.exe
4492	winlogon.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe services.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe smss.exe winlogon.exe csrss.exe vcnv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe csrss.exe smss.exe lsass.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vcnv.exe

description	ioc	process
File opened (read-only)	\??\M:	vcnv.exe
File opened (read-only)	\??\T:	vcnv.exe
File opened (read-only)	\??\W:	vcnv.exe
File opened (read-only)	\??\X:	vcnv.exe
File opened (read-only)	\??\H:	vcnv.exe
File opened (read-only)	\??\G:	vcnv.exe
File opened (read-only)	\??\I:	vcnv.exe
File opened (read-only)	\??\K:	vcnv.exe
File opened (read-only)	\??\O:	vcnv.exe
File opened (read-only)	\??\U:	vcnv.exe
File opened (read-only)	\??\B:	vcnv.exe
File opened (read-only)	\??\J:	vcnv.exe
File opened (read-only)	\??\Q:	vcnv.exe
File opened (read-only)	\??\R:	vcnv.exe
File opened (read-only)	\??\V:	vcnv.exe
File opened (read-only)	\??\Y:	vcnv.exe
File opened (read-only)	\??\Z:	vcnv.exe
File opened (read-only)	\??\F:	vcnv.exe
File opened (read-only)	\??\L:	vcnv.exe
File opened (read-only)	\??\N:	vcnv.exe
File opened (read-only)	\??\P:	vcnv.exe
File opened (read-only)	\??\S:	vcnv.exe
File opened (read-only)	\??\E:	vcnv.exe

Drops file in System32 directory 64 IoCs

Processes:

9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe csrss.exe smss.exe services.exesmss.exelsass.execsrss.exewinlogon.exeservices.exe lsass.exeParaysutki_VM_Communitylsass.exeservices.exesmss.exelsass.exe winlogon.exe smss.exeParaysutki_VM_CommunityParaysutki_VM_Communityvcnv.exesmss.exeParaysutki_VM_Communitylsass.exeservices.exewinlogon.exe

description	ioc	process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	vcnv.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	smss.exe

Drops file in Program Files directory 27 IoCs

Processes:

vcnv.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	vcnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	vcnv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

winlogon.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe smss.exe lsass.exe services.exe csrss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe

Modifies registry class 48 IoCs

Processes:

csrss.exevcnv.exewinlogon.exe csrss.exe smss.exe lsass.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	vcnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	vcnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	vcnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	vcnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	vcnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	vcnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	vcnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	vcnv.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
1524	ping.exe
3480	ping.exe
640	ping.exe
4748	ping.exe
2480	ping.exe
3876	ping.exe
2728	ping.exe
2832	ping.exe
520	ping.exe
3132	ping.exe
4392	ping.exe
4352	ping.exe
176	ping.exe
2976	ping.exe
1928	ping.exe
344	ping.exe
1748	ping.exe
4468	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exe

pid	process
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
3092	csrss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe
4112	smss.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4528 rundll32.exe
3892 rundll32.exe
4256 rundll32.exe
1708 rundll32.exe
2692 rundll32.exe
2360 rundll32.exe

pid	process
4528	rundll32.exe
3892	rundll32.exe
4256	rundll32.exe
1708	rundll32.exe
2692	rundll32.exe
2360	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe csrss.execsrss.exe csrss.execsrss.exe vcnv.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe smss.exelsass.exesmss.exe lsass.exe services.exelsass.exelsass.exe services.exe winlogon.exewinlogon.exe services.exeservices.exe Paraysutki_VM_Communitywinlogon.exewinlogon.exe Paraysutki_VM_Communitylsass.exelsass.exe services.exeservices.exe services.exeservices.exe winlogon.exewinlogon.exe winlogon.exewinlogon.exe Paraysutki_VM_Community

pid	process
5080	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
3996	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
3092	csrss.exe
3864	csrss.exe
3376	csrss.exe
2376	csrss.exe
1444	vcnv.exe
4112	smss.exe
4712	smss.exe
936	csrss.exe
2408	csrss.exe
2312	smss.exe
4448	smss.exe
4988	lsass.exe
4884	lsass.exe
4320	csrss.exe
2784	csrss.exe
1216	smss.exe
2024	smss.exe
3684	lsass.exe
3292	lsass.exe
916	services.exe
4984	services.exe
3644	csrss.exe
4432	csrss.exe
1228	smss.exe
4516	smss.exe
3392	lsass.exe
4204	lsass.exe
3412	services.exe
3228	services.exe
1096	winlogon.exe
3760	winlogon.exe
4584	csrss.exe
364	csrss.exe
2976	smss.exe
1480	smss.exe
4480	smss.exe
4788	lsass.exe
4900	smss.exe
4400	lsass.exe
1080	services.exe
2676	lsass.exe
4912	lsass.exe
4552	services.exe
1184	winlogon.exe
4216	winlogon.exe
4336	services.exe
3852	services.exe
4920	Paraysutki_VM_Community
3968	winlogon.exe
4700	winlogon.exe
2908	Paraysutki_VM_Community
4344	lsass.exe
2968	lsass.exe
4392	services.exe
4948	services.exe
2788	services.exe
448	services.exe
2784	winlogon.exe
4160	winlogon.exe
2688	winlogon.exe
4440	winlogon.exe
4200	Paraysutki_VM_Community

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 5080 wrote to memory of 3996	5080	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
PID 5080 wrote to memory of 3996	5080	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
PID 5080 wrote to memory of 3996	5080	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
PID 3996 wrote to memory of 3092	3996	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe	csrss.exe
PID 3996 wrote to memory of 3092	3996	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe	csrss.exe
PID 3996 wrote to memory of 3092	3996	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe	csrss.exe
PID 3092 wrote to memory of 3864	3092	csrss.exe	csrss.exe
PID 3092 wrote to memory of 3864	3092	csrss.exe	csrss.exe
PID 3092 wrote to memory of 3864	3092	csrss.exe	csrss.exe
PID 3864 wrote to memory of 3376	3864	csrss.exe	csrss.exe
PID 3864 wrote to memory of 3376	3864	csrss.exe	csrss.exe
PID 3864 wrote to memory of 3376	3864	csrss.exe	csrss.exe
PID 3376 wrote to memory of 2376	3376	csrss.exe	csrss.exe
PID 3376 wrote to memory of 2376	3376	csrss.exe	csrss.exe
PID 3376 wrote to memory of 2376	3376	csrss.exe	csrss.exe
PID 3376 wrote to memory of 1444	3376	csrss.exe	vcnv.exe
PID 3376 wrote to memory of 1444	3376	csrss.exe	vcnv.exe
PID 3376 wrote to memory of 1444	3376	csrss.exe	vcnv.exe
PID 3864 wrote to memory of 4112	3864	csrss.exe	smss.exe
PID 3864 wrote to memory of 4112	3864	csrss.exe	smss.exe
PID 3864 wrote to memory of 4112	3864	csrss.exe	smss.exe
PID 4112 wrote to memory of 4712	4112	smss.exe	smss.exe
PID 4112 wrote to memory of 4712	4112	smss.exe	smss.exe
PID 4112 wrote to memory of 4712	4112	smss.exe	smss.exe
PID 4712 wrote to memory of 936	4712	smss.exe	csrss.exe
PID 4712 wrote to memory of 936	4712	smss.exe	csrss.exe
PID 4712 wrote to memory of 936	4712	smss.exe	csrss.exe
PID 936 wrote to memory of 2408	936	csrss.exe	csrss.exe
PID 936 wrote to memory of 2408	936	csrss.exe	csrss.exe
PID 936 wrote to memory of 2408	936	csrss.exe	csrss.exe
PID 4712 wrote to memory of 2312	4712	smss.exe	smss.exe
PID 4712 wrote to memory of 2312	4712	smss.exe	smss.exe
PID 4712 wrote to memory of 2312	4712	smss.exe	smss.exe
PID 2312 wrote to memory of 4448	2312	smss.exe	smss.exe
PID 2312 wrote to memory of 4448	2312	smss.exe	smss.exe
PID 2312 wrote to memory of 4448	2312	smss.exe	smss.exe
PID 4712 wrote to memory of 4988	4712	smss.exe	lsass.exe
PID 4712 wrote to memory of 4988	4712	smss.exe	lsass.exe
PID 4712 wrote to memory of 4988	4712	smss.exe	lsass.exe
PID 4988 wrote to memory of 4884	4988	lsass.exe	lsass.exe
PID 4988 wrote to memory of 4884	4988	lsass.exe	lsass.exe
PID 4988 wrote to memory of 4884	4988	lsass.exe	lsass.exe
PID 4884 wrote to memory of 4320	4884	lsass.exe	csrss.exe
PID 4884 wrote to memory of 4320	4884	lsass.exe	csrss.exe
PID 4884 wrote to memory of 4320	4884	lsass.exe	csrss.exe
PID 4320 wrote to memory of 2784	4320	csrss.exe	csrss.exe
PID 4320 wrote to memory of 2784	4320	csrss.exe	csrss.exe
PID 4320 wrote to memory of 2784	4320	csrss.exe	csrss.exe
PID 4884 wrote to memory of 1216	4884	lsass.exe	smss.exe
PID 4884 wrote to memory of 1216	4884	lsass.exe	smss.exe
PID 4884 wrote to memory of 1216	4884	lsass.exe	smss.exe
PID 1216 wrote to memory of 2024	1216	smss.exe	smss.exe
PID 1216 wrote to memory of 2024	1216	smss.exe	smss.exe
PID 1216 wrote to memory of 2024	1216	smss.exe	smss.exe
PID 4884 wrote to memory of 3684	4884	lsass.exe	lsass.exe
PID 4884 wrote to memory of 3684	4884	lsass.exe	lsass.exe
PID 4884 wrote to memory of 3684	4884	lsass.exe	lsass.exe
PID 3684 wrote to memory of 3292	3684	lsass.exe	lsass.exe
PID 3684 wrote to memory of 3292	3684	lsass.exe	lsass.exe
PID 3684 wrote to memory of 3292	3684	lsass.exe	lsass.exe
PID 4884 wrote to memory of 916	4884	lsass.exe	services.exe
PID 4884 wrote to memory of 916	4884	lsass.exe	services.exe
PID 4884 wrote to memory of 916	4884	lsass.exe	services.exe
PID 916 wrote to memory of 4984	916	services.exe	services.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.exe smss.exe lsass.exe services.exe winlogon.exe 9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

C:\Users\Admin\AppData\Local\Temp\9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
"C:\Users\Admin\AppData\Local\Temp\9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Temp\9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
C:\Users\Admin\AppData\Local\Temp\9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3996

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3864

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2376

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcnv.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\vcnv.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4712

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4884

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3292

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4984

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3760

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
13⤵
- Suspicious use of FindShellTrayWindow
PID:1708

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:1748

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:3480

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:2480

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
11⤵
- Drops file in System32 directory
PID:364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
11⤵
- Suspicious use of FindShellTrayWindow
PID:4528

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:4392

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:1928

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:3876

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
9⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1704

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
10⤵
- Loads dropped DLL
PID:4492

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
9⤵
PID:944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
- Suspicious use of FindShellTrayWindow
PID:4256

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:344

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:2976

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:4468

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1468

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:3892

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4352

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:176

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:2728

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:2360

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:520

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:640

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:3132

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3852

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
- Suspicious use of FindShellTrayWindow
PID:2692

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:1524

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:4748

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:2832

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Users\Admin\AppData\Local\Temp\9794140876af52d9df2ec6da5a3dfbc46cf8032922ead79d2857a390100d6219.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\vcnv.exe

Filesize
76KB

MD5
9878ead5a7e0a3f951f54fc335703399

SHA1
d28850ff969d60ed0dc44f0257e88eafc7491141

SHA256
20eaf15faabc27fbdc1516bcc43bf8db473dbec57c2dadaeb2a75e6dfb5c1d33

SHA512
bc556b8704061f150ae449923b3bcd72b208a54c038f5a2177f4639f935fdf45be3a205375ed3f7807e5d7c2c2e317403d0b44d5a554b5999f5218b936467e5f

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

Filesize
86KB

MD5
f8c8afe96c9efaecac648f1a96e45fd3

SHA1
21947b2ce0d2827d84ee4db4b8aa31bedb4d6298

SHA256
18fcd8e9650e18c390405ad0d12841f9c5640b3ae5057fbae9ffd04b7e920021

SHA512
fb92249a85d1a57f9048efd8b829f0edbdd131eacd6cc564f366877e135e27ecb246b71a1cea08bf573caae28921621c50c5b1823a8d907b011713d6f0e850af

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
163KB

MD5
074e3007b249ca82b01d358bff1067b7

SHA1
f258fa640841c883713b24a187522f81f1ccd3a6

SHA256
4d86b156a534dbadb5a54f9484f7afcd3bd8845473a73ec044c2d65773ede9db

SHA512
f40004ad511ba9bbb35a6be1cb8e10eace2f82e6417fbfc7e8f8710f411f02bf1e97fb8c23fc5408535616b4c8600f564540295deb41adb1aff73a651fa3cb6e

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcnv.exe

Filesize
76KB

MD5
9878ead5a7e0a3f951f54fc335703399

SHA1
d28850ff969d60ed0dc44f0257e88eafc7491141

SHA256
20eaf15faabc27fbdc1516bcc43bf8db473dbec57c2dadaeb2a75e6dfb5c1d33

SHA512
bc556b8704061f150ae449923b3bcd72b208a54c038f5a2177f4639f935fdf45be3a205375ed3f7807e5d7c2c2e317403d0b44d5a554b5999f5218b936467e5f

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
2f7c8c7ffea1b3571e4b302346c3a958

SHA1
ec2b8834dbd80f3965c1063d52fec01c008ee039

SHA256
e4724c55472d8acbd434adafa6ac20fe89312a49cc4d6cae62d177f9e3512f92

SHA512
04fe51c6075fe9cd7886d41856f43ab0abcc30be3c25b8333970c683674eac394585501621635a1d2087eef2c670364e50554efd97494d358b16aa39f29acff9

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/364-314-0x0000000000000000-mapping.dmp

Download
memory/364-317-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/448-403-0x0000000000000000-mapping.dmp

Download
memory/448-408-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/916-265-0x0000000000000000-mapping.dmp

Download
memory/936-192-0x0000000000000000-mapping.dmp

Download
memory/1080-340-0x0000000000000000-mapping.dmp

Download
memory/1096-305-0x0000000000000000-mapping.dmp

Download
memory/1184-354-0x0000000000000000-mapping.dmp

Download
memory/1216-241-0x0000000000000000-mapping.dmp

Download
memory/1228-281-0x0000000000000000-mapping.dmp

Download
memory/1444-172-0x0000000000000000-mapping.dmp

Download
memory/1480-321-0x0000000000000000-mapping.dmp

Download
memory/1480-324-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1708-380-0x0000000000000000-mapping.dmp

Download
memory/2024-252-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-247-0x0000000000000000-mapping.dmp

Download
memory/2312-204-0x0000000000000000-mapping.dmp

Download
memory/2376-165-0x0000000000000000-mapping.dmp

Download
memory/2376-170-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2408-198-0x0000000000000000-mapping.dmp

Download
memory/2408-203-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-341-0x0000000000000000-mapping.dmp

Download
memory/2688-414-0x0000000000000000-mapping.dmp

Download
memory/2692-386-0x0000000000000000-mapping.dmp

Download
memory/2784-405-0x0000000000000000-mapping.dmp

Download
memory/2784-234-0x0000000000000000-mapping.dmp

Download
memory/2784-239-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2788-399-0x0000000000000000-mapping.dmp

Download
memory/2908-381-0x0000000000000000-mapping.dmp

Download
memory/2968-388-0x0000000000000000-mapping.dmp

Download
memory/2968-392-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-318-0x0000000000000000-mapping.dmp

Download
memory/3092-140-0x0000000000000000-mapping.dmp

Download
memory/3228-303-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3228-300-0x0000000000000000-mapping.dmp

Download
memory/3292-264-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3292-259-0x0000000000000000-mapping.dmp

Download
memory/3376-159-0x0000000000000000-mapping.dmp

Download
memory/3392-290-0x0000000000000000-mapping.dmp

Download
memory/3412-297-0x0000000000000000-mapping.dmp

Download
memory/3644-274-0x0000000000000000-mapping.dmp

Download
memory/3684-253-0x0000000000000000-mapping.dmp

Download
memory/3760-434-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3760-308-0x0000000000000000-mapping.dmp

Download
memory/3760-326-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3852-365-0x0000000000000000-mapping.dmp

Download
memory/3852-369-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-171-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-436-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-148-0x0000000000000000-mapping.dmp

Download
memory/3968-372-0x0000000000000000-mapping.dmp

Download
memory/3996-304-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3996-134-0x0000000000000000-mapping.dmp

Download
memory/3996-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3996-438-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4112-179-0x0000000000000000-mapping.dmp

Download
memory/4160-410-0x0000000000000000-mapping.dmp

Download
memory/4160-413-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-296-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-293-0x0000000000000000-mapping.dmp

Download
memory/4216-357-0x0000000000000000-mapping.dmp

Download
memory/4216-360-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4216-364-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4320-228-0x0000000000000000-mapping.dmp

Download
memory/4336-359-0x0000000000000000-mapping.dmp

Download
memory/4344-384-0x0000000000000000-mapping.dmp

Download
memory/4392-393-0x0000000000000000-mapping.dmp

Download
memory/4400-333-0x0000000000000000-mapping.dmp

Download
memory/4400-338-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4432-277-0x0000000000000000-mapping.dmp

Download
memory/4432-280-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-422-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-417-0x0000000000000000-mapping.dmp

Download
memory/4448-215-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4448-210-0x0000000000000000-mapping.dmp

Download
memory/4480-325-0x0000000000000000-mapping.dmp

Download
memory/4492-429-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4516-288-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4516-284-0x0000000000000000-mapping.dmp

Download
memory/4516-289-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4552-352-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4552-347-0x0000000000000000-mapping.dmp

Download
memory/4584-311-0x0000000000000000-mapping.dmp

Download
memory/4700-379-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-378-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-375-0x0000000000000000-mapping.dmp

Download
memory/4712-185-0x0000000000000000-mapping.dmp

Download
memory/4712-191-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4712-391-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4712-437-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4788-327-0x0000000000000000-mapping.dmp

Download
memory/4884-435-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4884-240-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4884-222-0x0000000000000000-mapping.dmp

Download
memory/4900-332-0x0000000000000000-mapping.dmp

Download
memory/4900-339-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4912-353-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4912-346-0x0000000000000000-mapping.dmp

Download
memory/4920-368-0x0000000000000000-mapping.dmp

Download
memory/4948-396-0x0000000000000000-mapping.dmp

Download
memory/4948-400-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-271-0x0000000000000000-mapping.dmp

Download
memory/4984-287-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-439-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4988-216-0x0000000000000000-mapping.dmp

Download