64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903

Analysis

max time kernel
234s
max time network
273s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Size

205KB
MD5

f5d8ae8917562dbc48142b09ef97bf94
SHA1

d134bd4ffa247fd2886b4ca6291d857d4e052c0a
SHA256

64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903
SHA512

babe2fb9421e66385c3d52ee00d9fffa2dd7663b2a1701fd24e041da5a763ad550ba51c7d49d4a35c0c1146efbe9822202cb3bde338c5ba3bee3c2908622391f
SSDEEP

3072:qqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:qqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

csrss.exe smss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

smss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe csrss.exeamha.exesmss.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

smss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe csrss.exeamha.exesmss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	amha.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

csrss.exeamha.exesmss.execsrss.exe smss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	amha.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

csrss.exe smss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

Disables RegEdit via registry modification 3 IoCs

evasion

Processes:

csrss.exe smss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 58 IoCs

Processes:

64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe csrss.execsrss.exe csrss.execsrss.exe amha.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exelsass.exesmss.exe smss.exe lsass.exelsass.exeservices.exelsass.exe lsass.exe lsass.exe services.exeservices.exewinlogon.exedsap.exeservices.exe services.exe services.exe winlogon.exe winlogon.exewinlogon.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~~Paraysutki_VM_Community~winlogon.exe winlogon.exe csrss.execsrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exesmss.exe smss.exe csrss.exe csrss.exelsass.execsrss.execsrss.exe lsass.exe csrss.exe smss.exesmss.exe lsass.exelsass.exesmss.exesmss.exe

pid	process
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
1116	csrss.exe
776	csrss.exe
1620	csrss.exe
928	csrss.exe
1724	amha.exe
808	smss.exe
1436	smss.exe
272	csrss.exe
2036	csrss.exe
916	smss.exe
296	smss.exe
1264	lsass.exe
1732	smss.exe
664	smss.exe
760	lsass.exe
1212	lsass.exe
912	services.exe
1812	lsass.exe
1684	lsass.exe
1788	lsass.exe
2020	services.exe
1740	services.exe
680	winlogon.exe
1620	dsap.exe
1820	services.exe
972	services.exe
1096	services.exe
1516	winlogon.exe
1216	winlogon.exe
1060	winlogon.exe
1952	~Paraysutki_VM_Community~
1704	~Paraysutki_VM_Community~
1136	~Paraysutki_VM_Community~
2004	winlogon.exe
1508	winlogon.exe
908	csrss.exe
1456	csrss.exe
1636	csrss.exe
1696	csrss.exe
1964	csrss.exe
1616	smss.exe
1192	smss.exe
528	smss.exe
800	smss.exe
2004	csrss.exe
1464	csrss.exe
2040	lsass.exe
1508	csrss.exe
832	csrss.exe
1808	lsass.exe
1388	csrss.exe
1116	smss.exe
1956	smss.exe
2052	lsass.exe
2040	lsass.exe
2068	smss.exe
2060	smss.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe csrss.exe smss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
1504	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
1504	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
776	csrss.exe
776	csrss.exe
776	csrss.exe
1620	csrss.exe
1620	csrss.exe
928	csrss.exe
1620	csrss.exe
1620	csrss.exe
776	csrss.exe
776	csrss.exe
808	smss.exe
808	smss.exe
808	smss.exe
1436	smss.exe
1436	smss.exe
1436	smss.exe
272	csrss.exe
272	csrss.exe
2036	csrss.exe
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
776	csrss.exe
1436	smss.exe
776	csrss.exe
1436	smss.exe
916	smss.exe
1264	lsass.exe
296	smss.exe
916	smss.exe
1436	smss.exe
776	csrss.exe
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
1732	smss.exe
296	smss.exe
1436	smss.exe
664	smss.exe
760	lsass.exe
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
1212	lsass.exe
776	csrss.exe
1264	lsass.exe
912	services.exe
1264	lsass.exe
1812	lsass.exe
1212	lsass.exe
760	lsass.exe
1684	lsass.exe
1788	lsass.exe
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
1436	smss.exe
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
1436	smss.exe
1740	services.exe
2020	services.exe
776	csrss.exe
776	csrss.exe
808	smss.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

amha.exesmss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe smss.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.exe smss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

amha.exe

description	ioc	process
File opened (read-only)	\??\U:	amha.exe
File opened (read-only)	\??\V:	amha.exe
File opened (read-only)	\??\E:	amha.exe
File opened (read-only)	\??\F:	amha.exe
File opened (read-only)	\??\G:	amha.exe
File opened (read-only)	\??\Q:	amha.exe
File opened (read-only)	\??\R:	amha.exe
File opened (read-only)	\??\T:	amha.exe
File opened (read-only)	\??\B:	amha.exe
File opened (read-only)	\??\L:	amha.exe
File opened (read-only)	\??\M:	amha.exe
File opened (read-only)	\??\P:	amha.exe
File opened (read-only)	\??\W:	amha.exe
File opened (read-only)	\??\Z:	amha.exe
File opened (read-only)	\??\N:	amha.exe
File opened (read-only)	\??\O:	amha.exe
File opened (read-only)	\??\S:	amha.exe
File opened (read-only)	\??\H:	amha.exe
File opened (read-only)	\??\I:	amha.exe
File opened (read-only)	\??\J:	amha.exe
File opened (read-only)	\??\K:	amha.exe
File opened (read-only)	\??\X:	amha.exe
File opened (read-only)	\??\Y:	amha.exe

Drops file in System32 directory 64 IoCs

Processes:

csrss.exe smss.exe services.exe winlogon.exe smss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe csrss.execsrss.execsrss.exe csrss.exesmss.exelsass.exewinlogon.exesmss.exeservices.exewinlogon.exelsass.exe csrss.exe64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exelsass.exe~Paraysutki_VM_Community~lsass.exeamha.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	amha.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	amha.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe

Drops file in Program Files directory 34 IoCs

Processes:

amha.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	amha.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	amha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	amha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	amha.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	amha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	amha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	amha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	amha.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	amha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	amha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	amha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	amha.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	amha.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	amha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	amha.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	amha.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	amha.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	amha.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	amha.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

smss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe csrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	smss.exe

Modifies registry class 58 IoCs

Processes:

csrss.exesmss.exesmss.exe amha.execsrss.exe 64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	amha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	amha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	smss.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid process

1592 ping.exe
552 ping.exe
1144 ping.exe
1208 ping.exe
856 ping.exe
1604 ping.exe
1568 ping.exe
948 ping.exe
828 ping.exe

pid	process
1592	ping.exe
552	ping.exe
1144	ping.exe
1208	ping.exe
856	ping.exe
1604	ping.exe
1568	ping.exe
948	ping.exe
828	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exelsass.exeservices.exe

pid	process
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
808	smss.exe
808	smss.exe
808	smss.exe
808	smss.exe
808	smss.exe
808	smss.exe
808	smss.exe
808	smss.exe
808	smss.exe
808	smss.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
1264	lsass.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe
912	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

1576 rundll32.exe
1668 rundll32.exe
1008 rundll32.exe

pid	process
1576	rundll32.exe
1668	rundll32.exe
1008	rundll32.exe

Suspicious use of SetWindowsHookEx 55 IoCs

Processes:

64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe csrss.execsrss.exe csrss.execsrss.exe amha.exesmss.exesmss.exe csrss.execsrss.exe smss.exelsass.exesmss.exelsass.exelsass.exeservices.exelsass.exe lsass.exe smss.exe lsass.exe smss.exe services.exeservices.exewinlogon.exedsap.exeservices.exe services.exe services.exe winlogon.exewinlogon.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~winlogon.exe ~Paraysutki_VM_Community~winlogon.exe winlogon.exe csrss.execsrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exesmss.exe smss.exe csrss.exe lsass.execsrss.execsrss.execsrss.exe lsass.exe csrss.exe smss.exesmss.exe

pid	process
1504	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
1116	csrss.exe
776	csrss.exe
1620	csrss.exe
928	csrss.exe
1724	amha.exe
808	smss.exe
1436	smss.exe
272	csrss.exe
2036	csrss.exe
916	smss.exe
1264	lsass.exe
296	smss.exe
760	lsass.exe
1212	lsass.exe
912	services.exe
1788	lsass.exe
1812	lsass.exe
1732	smss.exe
1684	lsass.exe
664	smss.exe
2020	services.exe
1740	services.exe
680	winlogon.exe
1620	dsap.exe
972	services.exe
1820	services.exe
1096	services.exe
1216	winlogon.exe
1060	winlogon.exe
1952	~Paraysutki_VM_Community~
1704	~Paraysutki_VM_Community~
2004	winlogon.exe
1136	~Paraysutki_VM_Community~
1516	winlogon.exe
1508	winlogon.exe
908	csrss.exe
1456	csrss.exe
1636	csrss.exe
1696	csrss.exe
1964	csrss.exe
1616	smss.exe
1192	smss.exe
528	smss.exe
800	smss.exe
2004	csrss.exe
2040	lsass.exe
1464	csrss.exe
1508	csrss.exe
832	csrss.exe
1808	lsass.exe
1388	csrss.exe
1116	smss.exe
1956	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1504 wrote to memory of 520	1504	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
PID 1504 wrote to memory of 520	1504	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
PID 1504 wrote to memory of 520	1504	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
PID 1504 wrote to memory of 520	1504	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
PID 520 wrote to memory of 1116	520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	csrss.exe
PID 520 wrote to memory of 1116	520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	csrss.exe
PID 520 wrote to memory of 1116	520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	csrss.exe
PID 520 wrote to memory of 1116	520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	csrss.exe
PID 1116 wrote to memory of 776	1116	csrss.exe	csrss.exe
PID 1116 wrote to memory of 776	1116	csrss.exe	csrss.exe
PID 1116 wrote to memory of 776	1116	csrss.exe	csrss.exe
PID 1116 wrote to memory of 776	1116	csrss.exe	csrss.exe
PID 776 wrote to memory of 1620	776	csrss.exe	csrss.exe
PID 776 wrote to memory of 1620	776	csrss.exe	csrss.exe
PID 776 wrote to memory of 1620	776	csrss.exe	csrss.exe
PID 776 wrote to memory of 1620	776	csrss.exe	csrss.exe
PID 1620 wrote to memory of 928	1620	csrss.exe	csrss.exe
PID 1620 wrote to memory of 928	1620	csrss.exe	csrss.exe
PID 1620 wrote to memory of 928	1620	csrss.exe	csrss.exe
PID 1620 wrote to memory of 928	1620	csrss.exe	csrss.exe
PID 1620 wrote to memory of 1724	1620	csrss.exe	amha.exe
PID 1620 wrote to memory of 1724	1620	csrss.exe	amha.exe
PID 1620 wrote to memory of 1724	1620	csrss.exe	amha.exe
PID 1620 wrote to memory of 1724	1620	csrss.exe	amha.exe
PID 776 wrote to memory of 808	776	csrss.exe	smss.exe
PID 776 wrote to memory of 808	776	csrss.exe	smss.exe
PID 776 wrote to memory of 808	776	csrss.exe	smss.exe
PID 776 wrote to memory of 808	776	csrss.exe	smss.exe
PID 808 wrote to memory of 1436	808	smss.exe	smss.exe
PID 808 wrote to memory of 1436	808	smss.exe	smss.exe
PID 808 wrote to memory of 1436	808	smss.exe	smss.exe
PID 808 wrote to memory of 1436	808	smss.exe	smss.exe
PID 1436 wrote to memory of 272	1436	smss.exe	csrss.exe
PID 1436 wrote to memory of 272	1436	smss.exe	csrss.exe
PID 1436 wrote to memory of 272	1436	smss.exe	csrss.exe
PID 1436 wrote to memory of 272	1436	smss.exe	csrss.exe
PID 272 wrote to memory of 2036	272	csrss.exe	csrss.exe
PID 272 wrote to memory of 2036	272	csrss.exe	csrss.exe
PID 272 wrote to memory of 2036	272	csrss.exe	csrss.exe
PID 272 wrote to memory of 2036	272	csrss.exe	csrss.exe
PID 520 wrote to memory of 916	520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	smss.exe
PID 520 wrote to memory of 916	520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	smss.exe
PID 520 wrote to memory of 916	520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	smss.exe
PID 520 wrote to memory of 916	520	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe	smss.exe
PID 776 wrote to memory of 1264	776	csrss.exe	lsass.exe
PID 776 wrote to memory of 1264	776	csrss.exe	lsass.exe
PID 776 wrote to memory of 1264	776	csrss.exe	lsass.exe
PID 776 wrote to memory of 1264	776	csrss.exe	lsass.exe
PID 1436 wrote to memory of 296	1436	smss.exe	smss.exe
PID 1436 wrote to memory of 296	1436	smss.exe	smss.exe
PID 1436 wrote to memory of 296	1436	smss.exe	smss.exe
PID 1436 wrote to memory of 296	1436	smss.exe	smss.exe
PID 916 wrote to memory of 1732	916	smss.exe	smss.exe
PID 916 wrote to memory of 1732	916	smss.exe	smss.exe
PID 916 wrote to memory of 1732	916	smss.exe	smss.exe
PID 916 wrote to memory of 1732	916	smss.exe	smss.exe
PID 296 wrote to memory of 664	296	smss.exe	smss.exe
PID 296 wrote to memory of 664	296	smss.exe	smss.exe
PID 296 wrote to memory of 664	296	smss.exe	smss.exe
PID 296 wrote to memory of 664	296	smss.exe	smss.exe
PID 1436 wrote to memory of 760	1436	smss.exe	lsass.exe
PID 1436 wrote to memory of 760	1436	smss.exe	lsass.exe
PID 1436 wrote to memory of 760	1436	smss.exe	lsass.exe
PID 1436 wrote to memory of 760	1436	smss.exe	lsass.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe csrss.exe smss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe

C:\Users\Admin\AppData\Local\Temp\64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
"C:\Users\Admin\AppData\Local\Temp\64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
C:\Users\Admin\AppData\Local\Temp\64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:520

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:776

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:928

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1436

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:1668

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:948

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:856

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:1568

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:1188

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:1192

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:1116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:316

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:284

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:1892

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe" smss
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
- Executes dropped EXE
PID:2052

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
PID:2172

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
PID:2040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
PID:2248

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
PID:2288

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
PID:2360

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:800

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
PID:2084

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
PID:2240

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:680

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
- Executes dropped EXE
PID:2060

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
PID:2220

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
PID:2296

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
PID:2324

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
PID:2068

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
PID:2204

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
PID:2336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
PID:2372

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:1576

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:828

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1604

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:1592

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:1548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:572

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:2020

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:1556

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:1684

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:1984

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
- Suspicious use of FindShellTrayWindow
PID:1008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
3⤵
PID:1492

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
3⤵
- Runs ping.exe
PID:552

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:1144

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:1208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
3⤵
PID:1136

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
3⤵
PID:2116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
3⤵
PID:2136

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
3⤵
PID:2148

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
3⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1117068695-799317368-10602959321228746915-59400102913007128061982292165-263290846"
1⤵
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\amha.exe
Filesize
76KB

MD5
7e39fa11e36dcd80f33328f5b49bb6fe

SHA1
72956208e51866d022d77ed65ee696ba140dce2c

SHA256
635d6dac8745568e9291639911dcdf3a97cc2688219d065b89efe85c62974830

SHA512
20b44d16162922666ffcb8f9e9ffda7a50660bb38751db52bdcb7f24d0cf9d7c2b94f03d71fb58f7521adacb59d54f05bd1dce8c7708f4ce82b51c28377cec32

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\amha.exe
Filesize
76KB

MD5
7e39fa11e36dcd80f33328f5b49bb6fe

SHA1
72956208e51866d022d77ed65ee696ba140dce2c

SHA256
635d6dac8745568e9291639911dcdf3a97cc2688219d065b89efe85c62974830

SHA512
20b44d16162922666ffcb8f9e9ffda7a50660bb38751db52bdcb7f24d0cf9d7c2b94f03d71fb58f7521adacb59d54f05bd1dce8c7708f4ce82b51c28377cec32

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
Filesize
76KB

MD5
24f1c1b4290db4edfd34eae634bc071c

SHA1
d9e9a6acf8a803ca023d5d0f7f2f8baa5a46283d

SHA256
8a0e3ad4f36c6dd984dc6b2eaa3114a64db4cf3df60cb090bbf93ebaea17fd50

SHA512
f67174ef211903700475f20ad5b89c4d94f21b3f67be2996603f9f0add40ef2b150470e1d6dfcd0739a9c297bef795ded4a04a13a4b28d4549bf81ce589f1751

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\64dc0d7537d8315912d47e8f56452864575b4281eaaaf49b98dba191f6252903.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\amha.exe
Filesize
76KB

MD5
7e39fa11e36dcd80f33328f5b49bb6fe

SHA1
72956208e51866d022d77ed65ee696ba140dce2c

SHA256
635d6dac8745568e9291639911dcdf3a97cc2688219d065b89efe85c62974830

SHA512
20b44d16162922666ffcb8f9e9ffda7a50660bb38751db52bdcb7f24d0cf9d7c2b94f03d71fb58f7521adacb59d54f05bd1dce8c7708f4ce82b51c28377cec32

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\amha.exe
Filesize
76KB

MD5
7e39fa11e36dcd80f33328f5b49bb6fe

SHA1
72956208e51866d022d77ed65ee696ba140dce2c

SHA256
635d6dac8745568e9291639911dcdf3a97cc2688219d065b89efe85c62974830

SHA512
20b44d16162922666ffcb8f9e9ffda7a50660bb38751db52bdcb7f24d0cf9d7c2b94f03d71fb58f7521adacb59d54f05bd1dce8c7708f4ce82b51c28377cec32

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
ffcd7a94305b58a984a6c9c1b7f13578

SHA1
9e8a50837c2ceb98187d4d89a03f3d00ccdb0924

SHA256
608e4e4dc0acddd21a9fbf081a2d648ea626ad6411b53ab86bde4c5c88e7eb51

SHA512
61e5e11941f91bb5fb68b6849179212fe2df9fa08bf78fcbec621a9bccf5d2deb11850a7fb37beb3cca8ccfe706e1c47b9f62cf3d31e6c43c113fbb75d61db01

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/272-147-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/272-132-0x0000000000000000-mapping.dmp

Download
memory/284-316-0x0000000000000000-mapping.dmp

Download
memory/296-160-0x0000000000000000-mapping.dmp

Download
memory/316-311-0x0000000000000000-mapping.dmp

Download
memory/520-58-0x0000000000000000-mapping.dmp

Download
memory/520-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/528-350-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/572-307-0x0000000000000000-mapping.dmp

Download
memory/664-276-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/664-202-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/664-178-0x0000000000000000-mapping.dmp

Download
memory/680-213-0x0000000000000000-mapping.dmp

Download
memory/680-247-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/680-235-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/680-246-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/760-179-0x0000000000000000-mapping.dmp

Download
memory/760-205-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/760-230-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/776-105-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/776-334-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/776-77-0x0000000000000000-mapping.dmp

Download
memory/776-263-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/800-351-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/800-355-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/808-175-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/808-117-0x0000000000000000-mapping.dmp

Download
memory/808-250-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/808-174-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/808-145-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/808-144-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/828-296-0x0000000000000000-mapping.dmp

Download
memory/832-364-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/856-295-0x0000000000000000-mapping.dmp

Download
memory/908-269-0x0000000000000000-mapping.dmp

Download
memory/912-181-0x0000000000000000-mapping.dmp

Download
memory/916-227-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/916-151-0x0000000000000000-mapping.dmp

Download
memory/928-102-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/928-97-0x0000000000000000-mapping.dmp

Download
memory/948-292-0x0000000000000000-mapping.dmp

Download
memory/972-281-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/972-242-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/972-218-0x0000000000000000-mapping.dmp

Download
memory/1008-338-0x0000000000000000-mapping.dmp

Download
memory/1060-238-0x0000000000000000-mapping.dmp

Download
memory/1096-243-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1096-332-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1096-220-0x0000000000000000-mapping.dmp

Download
memory/1116-104-0x0000000000330000-0x000000000035A000-memory.dmp

Filesize
168KB

Download
memory/1116-64-0x0000000000000000-mapping.dmp

Download
memory/1116-308-0x0000000000000000-mapping.dmp

Download
memory/1116-103-0x0000000000330000-0x000000000035A000-memory.dmp

Filesize
168KB

Download
memory/1116-173-0x0000000000330000-0x000000000035A000-memory.dmp

Filesize
168KB

Download
memory/1136-245-0x0000000000000000-mapping.dmp

Download
memory/1188-301-0x0000000000000000-mapping.dmp

Download
memory/1192-305-0x0000000000000000-mapping.dmp

Download
memory/1192-337-0x0000000000000000-mapping.dmp

Download
memory/1212-229-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/1212-180-0x0000000000000000-mapping.dmp

Download
memory/1212-204-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/1216-237-0x0000000000000000-mapping.dmp

Download
memory/1216-277-0x0000000002260000-0x000000000228A000-memory.dmp

Filesize
168KB

Download
memory/1264-158-0x0000000000000000-mapping.dmp

Download
memory/1388-370-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1436-330-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1436-125-0x0000000000000000-mapping.dmp

Download
memory/1436-146-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1456-274-0x0000000000000000-mapping.dmp

Download
memory/1504-72-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1504-73-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1504-156-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1504-155-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1508-257-0x0000000000000000-mapping.dmp

Download
memory/1508-373-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1508-289-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1508-280-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1516-236-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1516-234-0x0000000000000000-mapping.dmp

Download
memory/1548-303-0x0000000000000000-mapping.dmp

Download
memory/1556-317-0x0000000000000000-mapping.dmp

Download
memory/1568-297-0x0000000000000000-mapping.dmp

Download
memory/1576-265-0x0000000000000000-mapping.dmp

Download
memory/1592-300-0x0000000000000000-mapping.dmp

Download
memory/1604-298-0x0000000000000000-mapping.dmp

Download
memory/1616-324-0x0000000000000000-mapping.dmp

Download
memory/1620-215-0x0000000000000000-mapping.dmp

Download
memory/1620-89-0x0000000000000000-mapping.dmp

Download
memory/1636-278-0x0000000000000000-mapping.dmp

Download
memory/1636-320-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1636-328-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-285-0x0000000000000000-mapping.dmp

Download
memory/1684-321-0x0000000000000000-mapping.dmp

Download
memory/1684-206-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1684-288-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1684-191-0x0000000000000000-mapping.dmp

Download
memory/1696-293-0x0000000000000000-mapping.dmp

Download
memory/1704-244-0x0000000000000000-mapping.dmp

Download
memory/1724-108-0x0000000000000000-mapping.dmp

Download
memory/1732-177-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1732-176-0x0000000000000000-mapping.dmp

Download
memory/1732-272-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1732-228-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1740-209-0x0000000000000000-mapping.dmp

Download
memory/1740-240-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1788-271-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1788-192-0x0000000000000000-mapping.dmp

Download
memory/1788-207-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1808-369-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-203-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-184-0x0000000000000000-mapping.dmp

Download
memory/1820-241-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1820-219-0x0000000000000000-mapping.dmp

Download
memory/1820-226-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1892-322-0x0000000000000000-mapping.dmp

Download
memory/1952-239-0x0000000000000000-mapping.dmp

Download
memory/1956-374-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1964-294-0x0000000000000000-mapping.dmp

Download
memory/1964-336-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1984-327-0x0000000000000000-mapping.dmp

Download
memory/2004-352-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2004-279-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2004-253-0x0000000000000000-mapping.dmp

Download
memory/2004-287-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-208-0x0000000000000000-mapping.dmp

Download
memory/2020-312-0x0000000000000000-mapping.dmp

Download
memory/2036-196-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2036-139-0x0000000000000000-mapping.dmp

Download
memory/2036-148-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download