838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a

Analysis

max time kernel
174s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Size

205KB
MD5

8d3dfde63e45e5ea688c4a5b587caa8f
SHA1

772b6144b46e585ab54aa1c4267d2fe55ae5c1b3
SHA256

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a
SHA512

a329cfc8089056e591627e98bde8f2bcf735ba4762c9d4a71205cd732574e0f3686650deef265d7b1955b2f82d6ca4d9772c4701890fa884fc83ae3351e2b852
SSDEEP

3072:/qhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:/qhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe lsass.exe rundll32.exewinlogon.exe csrss.exe smss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe

Modifies system executable filetype association 2 TTPs 12 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

cswa.execsrss.exesmss.exeamha.exesmss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.execsrss.exelsass.exe rundll32.exewinlogon.exe csrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	cswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

csrss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe cswa.execsrss.execsrss.exesmss.exerundll32.exewinlogon.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exeamha.exelsass.exe smss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cswa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	amha.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

smss.exelsass.exe rundll32.exesmss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.execsrss.execsrss.execsrss.exe cswa.exeamha.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cswa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	amha.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

rundll32.exewinlogon.exe csrss.exe smss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

lsass.exe rundll32.exewinlogon.exe csrss.exe smss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe csrss.exesmss.execsrss.exe smss.exe cswa.execsrss.execsrss.execsrss.exe csrss.exe smss.exesmss.exelsass.exesmss.exe smss.exe amha.exeamha.exeamha.exelsass.exelsass.exe lsass.exe lsass.exelsass.exe services.execsrss.exeservices.exe csrss.exe services.exeservices.exe smss.execsrss.exewinlogon.exesmss.exe csrss.exe winlogon.exe lsass.exesmss.exelsass.exe smss.exe csrss.execsrss.exe services.exelsass.exeservices.exe lsass.exe smss.exewinlogon.exeservices.exewinlogon.exe smss.exe services.exe winlogon.exe~Paraysutki_VM_Community~lsass.exewinlogon.exe lsass.exe ~Paraysutki_VM_Community~services.exerundll32.exewinlogon.exewinlogon.exe ~Paraysutki_VM_Community~winlogon.exeservices.exe

pid	process
1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
4348	csrss.exe
4308	smss.exe
5028	csrss.exe
2236	smss.exe
2192	cswa.exe
3104	csrss.exe
3060	csrss.exe
4024	csrss.exe
4128	csrss.exe
4352	smss.exe
936	smss.exe
3432	lsass.exe
2060	smss.exe
1656	smss.exe
3956	amha.exe
4932	amha.exe
1020	amha.exe
2080	lsass.exe
3392	lsass.exe
4420	lsass.exe
2460	lsass.exe
4500	lsass.exe
3032	services.exe
4712	csrss.exe
1280	services.exe
4636	csrss.exe
4040	services.exe
4112	services.exe
644	smss.exe
4904	csrss.exe
3336	winlogon.exe
1080	smss.exe
4888	csrss.exe
4304	winlogon.exe
4360	lsass.exe
2724	smss.exe
1392	lsass.exe
3936	smss.exe
3920	csrss.exe
4252	csrss.exe
4108	services.exe
4576	lsass.exe
3376	services.exe
1952	lsass.exe
3388	smss.exe
4872	winlogon.exe
3368	services.exe
2668	winlogon.exe
1828	smss.exe
4092	services.exe
4292	winlogon.exe
3468	~Paraysutki_VM_Community~
1764	lsass.exe
2268	winlogon.exe
4460	lsass.exe
3208	~Paraysutki_VM_Community~
388	services.exe
3784	rundll32.exe
4492	winlogon.exe
3288	winlogon.exe
1836	~Paraysutki_VM_Community~
3560	winlogon.exe
784	services.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

smss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe lsass.exe winlogon.exe rundll32.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	lsass.exe

Loads dropped DLL 64 IoCs

Processes:

csrss.exesmss.execsrss.exe smss.exe csrss.execsrss.execsrss.exe csrss.exe smss.exesmss.exelsass.exesmss.exe smss.exe lsass.exelsass.exe lsass.exe lsass.exelsass.exe services.execsrss.exeservices.exe csrss.exe services.exeservices.exe smss.execsrss.exewinlogon.exesmss.exe csrss.exe winlogon.exe lsass.exesmss.exelsass.exe smss.exe csrss.execsrss.exe services.exelsass.exeservices.exe lsass.exe smss.exewinlogon.exeservices.exewinlogon.exe smss.exe services.exe winlogon.exe~Paraysutki_VM_Community~lsass.exewinlogon.exe lsass.exe ~Paraysutki_VM_Community~services.exerundll32.exewinlogon.exewinlogon.exe ~Paraysutki_VM_Community~winlogon.exeservices.exewinlogon.exe services.exe ~Paraysutki_VM_Community~winlogon.exewinlogon.exe

pid	process
4348	csrss.exe
4308	smss.exe
5028	csrss.exe
2236	smss.exe
3104	csrss.exe
3060	csrss.exe
4024	csrss.exe
4128	csrss.exe
936	smss.exe
4352	smss.exe
3432	lsass.exe
2060	smss.exe
1656	smss.exe
2080	lsass.exe
3392	lsass.exe
4420	lsass.exe
2460	lsass.exe
4500	lsass.exe
3032	services.exe
4712	csrss.exe
1280	services.exe
4636	csrss.exe
4040	services.exe
4112	services.exe
644	smss.exe
4904	csrss.exe
3336	winlogon.exe
1080	smss.exe
4888	csrss.exe
4304	winlogon.exe
4360	lsass.exe
2724	smss.exe
1392	lsass.exe
3936	smss.exe
3920	csrss.exe
4252	csrss.exe
4108	services.exe
4576	lsass.exe
3376	services.exe
1952	lsass.exe
3388	smss.exe
4872	winlogon.exe
3368	services.exe
2668	winlogon.exe
1828	smss.exe
4092	services.exe
4292	winlogon.exe
3468	~Paraysutki_VM_Community~
1764	lsass.exe
2268	winlogon.exe
4460	lsass.exe
3208	~Paraysutki_VM_Community~
388	services.exe
3784	rundll32.exe
4492	winlogon.exe
3288	winlogon.exe
1836	~Paraysutki_VM_Community~
3560	winlogon.exe
784	services.exe
3792	winlogon.exe
3000	services.exe
3540	~Paraysutki_VM_Community~
4488	winlogon.exe
4168	winlogon.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe rundll32.execsrss.exe csrss.execsrss.exesmss.exe cswa.exesmss.exewinlogon.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe amha.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	cswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsass.exe rundll32.exewinlogon.exe csrss.exe smss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cswa.exeamha.exe

description	ioc	process
File opened (read-only)	\??\Z:	cswa.exe
File opened (read-only)	\??\E:	amha.exe
File opened (read-only)	\??\M:	amha.exe
File opened (read-only)	\??\Q:	amha.exe
File opened (read-only)	\??\T:	amha.exe
File opened (read-only)	\??\J:	cswa.exe
File opened (read-only)	\??\F:	amha.exe
File opened (read-only)	\??\G:	cswa.exe
File opened (read-only)	\??\L:	cswa.exe
File opened (read-only)	\??\Q:	cswa.exe
File opened (read-only)	\??\S:	cswa.exe
File opened (read-only)	\??\K:	cswa.exe
File opened (read-only)	\??\T:	cswa.exe
File opened (read-only)	\??\X:	cswa.exe
File opened (read-only)	\??\R:	cswa.exe
File opened (read-only)	\??\N:	amha.exe
File opened (read-only)	\??\W:	amha.exe
File opened (read-only)	\??\H:	cswa.exe
File opened (read-only)	\??\M:	cswa.exe
File opened (read-only)	\??\N:	cswa.exe
File opened (read-only)	\??\W:	cswa.exe
File opened (read-only)	\??\B:	amha.exe
File opened (read-only)	\??\H:	amha.exe
File opened (read-only)	\??\K:	amha.exe
File opened (read-only)	\??\P:	amha.exe
File opened (read-only)	\??\S:	amha.exe
File opened (read-only)	\??\O:	cswa.exe
File opened (read-only)	\??\U:	cswa.exe
File opened (read-only)	\??\L:	amha.exe
File opened (read-only)	\??\R:	amha.exe
File opened (read-only)	\??\U:	amha.exe
File opened (read-only)	\??\Y:	amha.exe
File opened (read-only)	\??\E:	cswa.exe
File opened (read-only)	\??\O:	amha.exe
File opened (read-only)	\??\F:	cswa.exe
File opened (read-only)	\??\I:	cswa.exe
File opened (read-only)	\??\V:	cswa.exe
File opened (read-only)	\??\Z:	amha.exe
File opened (read-only)	\??\B:	cswa.exe
File opened (read-only)	\??\P:	cswa.exe
File opened (read-only)	\??\G:	amha.exe
File opened (read-only)	\??\I:	amha.exe
File opened (read-only)	\??\J:	amha.exe
File opened (read-only)	\??\V:	amha.exe
File opened (read-only)	\??\X:	amha.exe
File opened (read-only)	\??\Y:	cswa.exe

Drops file in System32 directory 64 IoCs

Processes:

smss.execsrss.exeservices.exe lsass.exewinlogon.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.execsrss.exe csrss.exeamha.execsrss.exesmss.exe838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe services.exeamha.exelsass.exe winlogon.exe~Paraysutki_VM_Community~smss.exe cswa.exelsass.exesmss.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~~Paraysutki_VM_Community~services.exelsass.exelsass.exeservices.execsrss.exe~Paraysutki_VM_Community~

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	amha.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	amha.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	cswa.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe

Drops file in Program Files directory 27 IoCs

Processes:

cswa.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	cswa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	cswa.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	cswa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	cswa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	cswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	cswa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

csrss.exe smss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe lsass.exe rundll32.exewinlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

Modifies registry class 64 IoCs

Processes:

cswa.exeamha.exe838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.execsrss.exelsass.exe csrss.exe csrss.exesmss.exe838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe rundll32.exewinlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	cswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	cswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	cswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	cswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	cswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	cswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	cswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	cswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	cswa.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
3896	ping.exe
2516	ping.exe
4884	ping.exe
4116	ping.exe
1840	ping.exe
3940	ping.exe
4024	ping.exe
748	ping.exe
1648	ping.exe
2668	ping.exe
4420	ping.exe
4660	ping.exe
1532	ping.exe
1360	ping.exe
4912	ping.exe
5032	ping.exe
1056	ping.exe
4308	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exeservices.exe

pid	process
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4348	csrss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
4308	smss.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe
3032	services.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4708 rundll32.exe
4496 rundll32.exe
1444 rundll32.exe
4680 rundll32.exe
3700 rundll32.exe
3368 rundll32.exe

pid	process
4708	rundll32.exe
4496	rundll32.exe
1444	rundll32.exe
4680	rundll32.exe
3700	rundll32.exe
3368	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe csrss.exesmss.execsrss.exe smss.exe csrss.execswa.execsrss.exe csrss.execsrss.exe smss.exesmss.exelsass.exesmss.exe smss.exe lsass.exeamha.exeamha.exeamha.exelsass.exe lsass.exe lsass.exelsass.exe services.execsrss.exeservices.exe services.execsrss.exe services.exe csrss.exesmss.exewinlogon.exesmss.exe csrss.exe winlogon.exe lsass.exesmss.exelsass.exe smss.exe csrss.exeservices.execsrss.exe lsass.exeservices.exe lsass.exe winlogon.exeservices.exesmss.exeservices.exe winlogon.exe smss.exe winlogon.exelsass.exe~Paraysutki_VM_Community~winlogon.exe lsass.exe ~Paraysutki_VM_Community~services.exerundll32.exewinlogon.exewinlogon.exe ~Paraysutki_VM_Community~winlogon.exe

pid	process
4452	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
4348	csrss.exe
4308	smss.exe
5028	csrss.exe
2236	smss.exe
3104	csrss.exe
2192	cswa.exe
4024	csrss.exe
3060	csrss.exe
4128	csrss.exe
936	smss.exe
4352	smss.exe
3432	lsass.exe
2060	smss.exe
1656	smss.exe
2080	lsass.exe
3956	amha.exe
4932	amha.exe
1020	amha.exe
4420	lsass.exe
3392	lsass.exe
2460	lsass.exe
4500	lsass.exe
3032	services.exe
4712	csrss.exe
1280	services.exe
4040	services.exe
4636	csrss.exe
4112	services.exe
4904	csrss.exe
644	smss.exe
3336	winlogon.exe
1080	smss.exe
4888	csrss.exe
4304	winlogon.exe
4360	lsass.exe
2724	smss.exe
1392	lsass.exe
3936	smss.exe
3920	csrss.exe
4108	services.exe
4252	csrss.exe
4576	lsass.exe
3376	services.exe
1952	lsass.exe
4872	winlogon.exe
3368	services.exe
3388	smss.exe
4092	services.exe
2668	winlogon.exe
1828	smss.exe
4292	winlogon.exe
1764	lsass.exe
3468	~Paraysutki_VM_Community~
2268	winlogon.exe
4460	lsass.exe
3208	~Paraysutki_VM_Community~
388	services.exe
3784	rundll32.exe
4492	winlogon.exe
3288	winlogon.exe
1836	~Paraysutki_VM_Community~
3560	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4452 wrote to memory of 1844	4452	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
PID 4452 wrote to memory of 1844	4452	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
PID 4452 wrote to memory of 1844	4452	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
PID 1844 wrote to memory of 4348	1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	csrss.exe
PID 1844 wrote to memory of 4348	1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	csrss.exe
PID 1844 wrote to memory of 4348	1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	csrss.exe
PID 1844 wrote to memory of 4308	1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	smss.exe
PID 1844 wrote to memory of 4308	1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	smss.exe
PID 1844 wrote to memory of 4308	1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	smss.exe
PID 4348 wrote to memory of 5028	4348	csrss.exe	csrss.exe
PID 4348 wrote to memory of 5028	4348	csrss.exe	csrss.exe
PID 4348 wrote to memory of 5028	4348	csrss.exe	csrss.exe
PID 4308 wrote to memory of 2236	4308	smss.exe	smss.exe
PID 4308 wrote to memory of 2236	4308	smss.exe	smss.exe
PID 4308 wrote to memory of 2236	4308	smss.exe	smss.exe
PID 4452 wrote to memory of 2192	4452	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	cswa.exe
PID 4452 wrote to memory of 2192	4452	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	cswa.exe
PID 4452 wrote to memory of 2192	4452	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	cswa.exe
PID 5028 wrote to memory of 3104	5028	csrss.exe	csrss.exe
PID 5028 wrote to memory of 3104	5028	csrss.exe	csrss.exe
PID 5028 wrote to memory of 3104	5028	csrss.exe	csrss.exe
PID 2236 wrote to memory of 3060	2236	smss.exe	csrss.exe
PID 2236 wrote to memory of 3060	2236	smss.exe	csrss.exe
PID 2236 wrote to memory of 3060	2236	smss.exe	csrss.exe
PID 3104 wrote to memory of 4024	3104	csrss.exe	csrss.exe
PID 3104 wrote to memory of 4024	3104	csrss.exe	csrss.exe
PID 3104 wrote to memory of 4024	3104	csrss.exe	csrss.exe
PID 3060 wrote to memory of 4128	3060	csrss.exe	csrss.exe
PID 3060 wrote to memory of 4128	3060	csrss.exe	csrss.exe
PID 3060 wrote to memory of 4128	3060	csrss.exe	csrss.exe
PID 5028 wrote to memory of 936	5028	csrss.exe	smss.exe
PID 5028 wrote to memory of 936	5028	csrss.exe	smss.exe
PID 5028 wrote to memory of 936	5028	csrss.exe	smss.exe
PID 2236 wrote to memory of 4352	2236	smss.exe	smss.exe
PID 2236 wrote to memory of 4352	2236	smss.exe	smss.exe
PID 2236 wrote to memory of 4352	2236	smss.exe	smss.exe
PID 1844 wrote to memory of 3432	1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	lsass.exe
PID 1844 wrote to memory of 3432	1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	lsass.exe
PID 1844 wrote to memory of 3432	1844	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	lsass.exe
PID 936 wrote to memory of 2060	936	smss.exe	smss.exe
PID 936 wrote to memory of 2060	936	smss.exe	smss.exe
PID 936 wrote to memory of 2060	936	smss.exe	smss.exe
PID 4352 wrote to memory of 1656	4352	smss.exe	smss.exe
PID 4352 wrote to memory of 1656	4352	smss.exe	smss.exe
PID 4352 wrote to memory of 1656	4352	smss.exe	smss.exe
PID 3060 wrote to memory of 3956	3060	csrss.exe	amha.exe
PID 3060 wrote to memory of 3956	3060	csrss.exe	amha.exe
PID 3060 wrote to memory of 3956	3060	csrss.exe	amha.exe
PID 4348 wrote to memory of 4932	4348	csrss.exe	amha.exe
PID 4348 wrote to memory of 4932	4348	csrss.exe	amha.exe
PID 4348 wrote to memory of 4932	4348	csrss.exe	amha.exe
PID 4308 wrote to memory of 1020	4308	smss.exe	amha.exe
PID 4308 wrote to memory of 1020	4308	smss.exe	amha.exe
PID 4308 wrote to memory of 1020	4308	smss.exe	amha.exe
PID 5028 wrote to memory of 2080	5028	csrss.exe	lsass.exe
PID 5028 wrote to memory of 2080	5028	csrss.exe	lsass.exe
PID 5028 wrote to memory of 2080	5028	csrss.exe	lsass.exe
PID 3432 wrote to memory of 3392	3432	lsass.exe	lsass.exe
PID 3432 wrote to memory of 3392	3432	lsass.exe	lsass.exe
PID 3432 wrote to memory of 3392	3432	lsass.exe	lsass.exe
PID 2080 wrote to memory of 4420	2080	lsass.exe	lsass.exe
PID 2080 wrote to memory of 4420	2080	lsass.exe	lsass.exe
PID 2080 wrote to memory of 4420	2080	lsass.exe	lsass.exe
PID 2236 wrote to memory of 2460	2236	smss.exe	lsass.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe lsass.exe rundll32.exewinlogon.exe csrss.exe smss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
"C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1844

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
3⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5028

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3936

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2268

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:4496

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:4948

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:3940

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:3896

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:2460

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:3080

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:4696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:4040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3560

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Loads dropped DLL
PID:3792

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:3540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:4680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:1896

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:1056

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1648

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:1540

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:2668

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:5072

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:1656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:5068

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3784

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe" csrss
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
3⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4128

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4304

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
PID:3784

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:1444

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:4888

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:4912

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4884

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:5032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:3924

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:1816

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:424

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:2216

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:4344

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Drops file in System32 directory
PID:1568

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:3700

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:1856

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:4648

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:384

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:2444

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:5112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:2560

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:4660

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:4116

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1840

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe" smss
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1020

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3392

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:644

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:4708

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:1484

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:2516

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1532

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1360

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:3948

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:5068

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:628

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:4900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:3972

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
4⤵
- Loads dropped DLL
PID:3000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
3⤵
- Loads dropped DLL
PID:4488

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
4⤵
- Loads dropped DLL
PID:4168

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
3⤵
- Drops file in System32 directory
PID:3908

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
- Suspicious use of FindShellTrayWindow
PID:3368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
3⤵
PID:2712

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
3⤵
- Runs ping.exe
PID:4308

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:4420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2460

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
3⤵
PID:3600

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
3⤵
PID:2156

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
3⤵
PID:4536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
3⤵
PID:2008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:1280

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\cswa.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\cswa.exe" 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a
2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\amha.exe

Filesize
76KB

MD5
11c5e580702bc5042221a267deeecdc8

SHA1
a2367f88e3f3f84571d14851261993bea8957f53

SHA256
08357154bd6fed4a202252e7ededc2701f174d0d718aa8816bb46a9158d85441

SHA512
bc71d93f1d847d493fff985770ff2252baedc4475173ff3180faa26092ee0c210897f9d6b482c58307a1344ebcb01ce4694b8c9dbeb48c3327a3f637870ff780

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\amha.exe

Filesize
76KB

MD5
11c5e580702bc5042221a267deeecdc8

SHA1
a2367f88e3f3f84571d14851261993bea8957f53

SHA256
08357154bd6fed4a202252e7ededc2701f174d0d718aa8816bb46a9158d85441

SHA512
bc71d93f1d847d493fff985770ff2252baedc4475173ff3180faa26092ee0c210897f9d6b482c58307a1344ebcb01ce4694b8c9dbeb48c3327a3f637870ff780

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\amha.exe

Filesize
76KB

MD5
11c5e580702bc5042221a267deeecdc8

SHA1
a2367f88e3f3f84571d14851261993bea8957f53

SHA256
08357154bd6fed4a202252e7ededc2701f174d0d718aa8816bb46a9158d85441

SHA512
bc71d93f1d847d493fff985770ff2252baedc4475173ff3180faa26092ee0c210897f9d6b482c58307a1344ebcb01ce4694b8c9dbeb48c3327a3f637870ff780

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\cswa.exe

Filesize
76KB

MD5
43f68fa007f169433ff3cf00eff6d19f

SHA1
fe8b03e3acd2ccaff1a4bb38a8bd0b308809e990

SHA256
bfc1afe4fd294567aa659cb282b2696044eeb270197ce18ff61ce7f21c3eee42

SHA512
036b1e0f340d45d2b1482829db175775a588968fc612ef2de1907f623245f6e02a50a4742958e8bc31f27cee2a06b123daa786573e375853646f5e482361404d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
883c76b0e05527c4b4107de1ac2001ca

SHA1
30d0618395f401eb31c1c3548b0114b6ec43db9b

SHA256
f495d15681e35b6f88d35a39e8483f9e2beb1332270fe8fad5a0d88978218b72

SHA512
858c4847bd062145f1c537228bc732d8e54f6b469fb92881447288f94be8c87101f7ecf379dce3e8d462c4be76db2257e9908c2f79e57c5738684ee977391e7c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
883c76b0e05527c4b4107de1ac2001ca

SHA1
30d0618395f401eb31c1c3548b0114b6ec43db9b

SHA256
f495d15681e35b6f88d35a39e8483f9e2beb1332270fe8fad5a0d88978218b72

SHA512
858c4847bd062145f1c537228bc732d8e54f6b469fb92881447288f94be8c87101f7ecf379dce3e8d462c4be76db2257e9908c2f79e57c5738684ee977391e7c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
883c76b0e05527c4b4107de1ac2001ca

SHA1
30d0618395f401eb31c1c3548b0114b6ec43db9b

SHA256
f495d15681e35b6f88d35a39e8483f9e2beb1332270fe8fad5a0d88978218b72

SHA512
858c4847bd062145f1c537228bc732d8e54f6b469fb92881447288f94be8c87101f7ecf379dce3e8d462c4be76db2257e9908c2f79e57c5738684ee977391e7c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
883c76b0e05527c4b4107de1ac2001ca

SHA1
30d0618395f401eb31c1c3548b0114b6ec43db9b

SHA256
f495d15681e35b6f88d35a39e8483f9e2beb1332270fe8fad5a0d88978218b72

SHA512
858c4847bd062145f1c537228bc732d8e54f6b469fb92881447288f94be8c87101f7ecf379dce3e8d462c4be76db2257e9908c2f79e57c5738684ee977391e7c

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
0576c2925e076b3f6b9526586b043c79

SHA1
92edd5bb2e4a2ee6e203ca7fc4bfe13a22c499de

SHA256
166c4616ee5d4f9d84a0c7ca13e1ae49ea4f8659b6588f9a28db41b2b85fd509

SHA512
95c5ee4ce79ff1d967d0d5d3bedec86e156b6a297796d27a800c993a521a2af97d4fba73f078ba1f253a40bfc8a77fef04e58cb47fe131e260e2e124d2259646

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe

Filesize
76KB

MD5
11c5e580702bc5042221a267deeecdc8

SHA1
a2367f88e3f3f84571d14851261993bea8957f53

SHA256
08357154bd6fed4a202252e7ededc2701f174d0d718aa8816bb46a9158d85441

SHA512
bc71d93f1d847d493fff985770ff2252baedc4475173ff3180faa26092ee0c210897f9d6b482c58307a1344ebcb01ce4694b8c9dbeb48c3327a3f637870ff780

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\cswa.exe

Filesize
76KB

MD5
43f68fa007f169433ff3cf00eff6d19f

SHA1
fe8b03e3acd2ccaff1a4bb38a8bd0b308809e990

SHA256
bfc1afe4fd294567aa659cb282b2696044eeb270197ce18ff61ce7f21c3eee42

SHA512
036b1e0f340d45d2b1482829db175775a588968fc612ef2de1907f623245f6e02a50a4742958e8bc31f27cee2a06b123daa786573e375853646f5e482361404d

Download Submit
\??\c:\windows\SysWOW64\CommandPrompt.Sysm

Filesize
76KB

MD5
90a1cdd8c542fe5bd29c2cdf8db8fac6

SHA1
b2b5aa3a3dc75f175cb1b513baa39f1d05a9407e

SHA256
09308309cc3410b5dc7f41aa441e08bfac269aed73f8d55d64c0009ed4271584

SHA512
85a3185d64db09bc9c632e64defac7fb68bc1f0c90df0c41f3ac8e45147730183fbb011793eb1fbd05e160e24cac416838f06ee0b6469f33b6227a85929fe374

Download Submit
\??\c:\windows\SysWOW64\Desktop.sysm

Filesize
76KB

MD5
90a1cdd8c542fe5bd29c2cdf8db8fac6

SHA1
b2b5aa3a3dc75f175cb1b513baa39f1d05a9407e

SHA256
09308309cc3410b5dc7f41aa441e08bfac269aed73f8d55d64c0009ed4271584

SHA512
85a3185d64db09bc9c632e64defac7fb68bc1f0c90df0c41f3ac8e45147730183fbb011793eb1fbd05e160e24cac416838f06ee0b6469f33b6227a85929fe374

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
11c5e580702bc5042221a267deeecdc8

SHA1
a2367f88e3f3f84571d14851261993bea8957f53

SHA256
08357154bd6fed4a202252e7ededc2701f174d0d718aa8816bb46a9158d85441

SHA512
bc71d93f1d847d493fff985770ff2252baedc4475173ff3180faa26092ee0c210897f9d6b482c58307a1344ebcb01ce4694b8c9dbeb48c3327a3f637870ff780

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
510aeedbc83ed32a3ca8a7d50c846dfb

SHA1
09e93b6758593f3277e953e8a968fe87e9c2e9ac

SHA256
53b8f76b8d1289bc9f8ceefb35bd1219c0962d0bcb199b55f81c98d4a681b034

SHA512
ddac96322cf7b694c6f6d54d8771e42fe425e8857abc1fad34493ce88c1fba9e1fa92722db60a9b05744c1aca95243fa7c5a45094fe78b36e688975464b41643

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
510aeedbc83ed32a3ca8a7d50c846dfb

SHA1
09e93b6758593f3277e953e8a968fe87e9c2e9ac

SHA256
53b8f76b8d1289bc9f8ceefb35bd1219c0962d0bcb199b55f81c98d4a681b034

SHA512
ddac96322cf7b694c6f6d54d8771e42fe425e8857abc1fad34493ce88c1fba9e1fa92722db60a9b05744c1aca95243fa7c5a45094fe78b36e688975464b41643

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
90a1cdd8c542fe5bd29c2cdf8db8fac6

SHA1
b2b5aa3a3dc75f175cb1b513baa39f1d05a9407e

SHA256
09308309cc3410b5dc7f41aa441e08bfac269aed73f8d55d64c0009ed4271584

SHA512
85a3185d64db09bc9c632e64defac7fb68bc1f0c90df0c41f3ac8e45147730183fbb011793eb1fbd05e160e24cac416838f06ee0b6469f33b6227a85929fe374

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/388-399-0x0000000000000000-mapping.dmp

Download
memory/644-299-0x0000000000000000-mapping.dmp

Download
memory/936-206-0x0000000000000000-mapping.dmp

Download
memory/1020-242-0x0000000000000000-mapping.dmp

Download
memory/1080-311-0x0000000000000000-mapping.dmp

Download
memory/1080-320-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1280-305-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1280-438-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1280-288-0x0000000000000000-mapping.dmp

Download
memory/1392-332-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1392-328-0x0000000000000000-mapping.dmp

Download
memory/1392-343-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1656-271-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1656-246-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1656-225-0x0000000000000000-mapping.dmp

Download
memory/1764-385-0x0000000000000000-mapping.dmp

Download
memory/1828-384-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1828-370-0x0000000000000000-mapping.dmp

Download
memory/1836-418-0x0000000000000000-mapping.dmp

Download
memory/1844-448-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1844-141-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1844-134-0x0000000000000000-mapping.dmp

Download
memory/1952-363-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1952-353-0x0000000000000000-mapping.dmp

Download
memory/2060-245-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-249-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-221-0x0000000000000000-mapping.dmp

Download
memory/2080-248-0x0000000000000000-mapping.dmp

Download
memory/2192-167-0x0000000000000000-mapping.dmp

Download
memory/2236-161-0x0000000000000000-mapping.dmp

Download
memory/2236-204-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2236-173-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2236-447-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2268-401-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2268-388-0x0000000000000000-mapping.dmp

Download
memory/2460-266-0x0000000000000000-mapping.dmp

Download
memory/2668-381-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-371-0x0000000000000000-mapping.dmp

Download
memory/2724-323-0x0000000000000000-mapping.dmp

Download
memory/3000-430-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3032-281-0x0000000000000000-mapping.dmp

Download
memory/3060-183-0x0000000000000000-mapping.dmp

Download
memory/3104-170-0x0000000000000000-mapping.dmp

Download
memory/3208-400-0x0000000000000000-mapping.dmp

Download
memory/3288-417-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3288-414-0x0000000000000000-mapping.dmp

Download
memory/3336-309-0x0000000000000000-mapping.dmp

Download
memory/3368-362-0x0000000000000000-mapping.dmp

Download
memory/3376-352-0x0000000000000000-mapping.dmp

Download
memory/3376-358-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3388-360-0x0000000000000000-mapping.dmp

Download
memory/3392-442-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3392-261-0x0000000000000000-mapping.dmp

Download
memory/3432-212-0x0000000000000000-mapping.dmp

Download
memory/3468-382-0x0000000000000000-mapping.dmp

Download
memory/3784-406-0x0000000000000000-mapping.dmp

Download
memory/3784-410-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3792-429-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3920-336-0x0000000000000000-mapping.dmp

Download
memory/3936-344-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3936-334-0x0000000000000000-mapping.dmp

Download
memory/3956-235-0x0000000000000000-mapping.dmp

Download
memory/4024-185-0x0000000000000000-mapping.dmp

Download
memory/4024-195-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4024-236-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4024-205-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4040-290-0x0000000000000000-mapping.dmp

Download
memory/4092-372-0x0000000000000000-mapping.dmp

Download
memory/4092-379-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4108-341-0x0000000000000000-mapping.dmp

Download
memory/4112-297-0x0000000000000000-mapping.dmp

Download
memory/4112-306-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4128-237-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4128-198-0x0000000000000000-mapping.dmp

Download
memory/4128-203-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4168-437-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4168-440-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4252-359-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4252-351-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4252-340-0x0000000000000000-mapping.dmp

Download
memory/4292-380-0x0000000000000000-mapping.dmp

Download
memory/4304-333-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4304-316-0x0000000000000000-mapping.dmp

Download
memory/4304-445-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4308-144-0x0000000000000000-mapping.dmp

Download
memory/4348-139-0x0000000000000000-mapping.dmp

Download
memory/4352-207-0x0000000000000000-mapping.dmp

Download
memory/4360-321-0x0000000000000000-mapping.dmp

Download
memory/4420-262-0x0000000000000000-mapping.dmp

Download
memory/4420-278-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4460-392-0x0000000000000000-mapping.dmp

Download
memory/4460-397-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4492-411-0x0000000000000000-mapping.dmp

Download
memory/4496-408-0x0000000000000000-mapping.dmp

Download
memory/4500-283-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4500-277-0x0000000000000000-mapping.dmp

Download
memory/4576-342-0x0000000000000000-mapping.dmp

Download
memory/4636-289-0x0000000000000000-mapping.dmp

Download
memory/4636-302-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4708-398-0x0000000000000000-mapping.dmp

Download
memory/4712-282-0x0000000000000000-mapping.dmp

Download
memory/4872-361-0x0000000000000000-mapping.dmp

Download
memory/4888-310-0x0000000000000000-mapping.dmp

Download
memory/4888-324-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4904-300-0x0000000000000000-mapping.dmp

Download
memory/4932-239-0x0000000000000000-mapping.dmp

Download
memory/5028-446-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5028-155-0x0000000000000000-mapping.dmp

Download
memory/5028-172-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download