bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8

Analysis

max time kernel
151s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Size

205KB
MD5

170634ca9ef78619045965b55730c390
SHA1

6132464b3ebfd8ca810ce3209e52b4dd6cc9b5c8
SHA256

bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8
SHA512

5263e21be576eddbdfda08c5d1abd9b1d0e773171504a40d62ec3548fe1fd0ec02649f14502069ccf929c221abfc88dab6d894535c7886c19ec9e54b3cf954a2
SSDEEP

3072:0qhMPsCRhlARSOsdwD/98outSSDADeak7dJHB/AKG:0qhMPsCRARoiSoSSSsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

services.exe csrss.exe services.exe lsass.exe lsass.exe services.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe smss.exe winlogon.exe smss.exe services.exe smss.exe csrss.exe csrss.exe smss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe

Modifies system executable filetype association 2 TTPs 17 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

winlogon.exe csrss.exehama.exesmss.exe lsass.exe smss.exe lsass.exe services.exe smss.exe csrss.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe csrss.exe services.exe csrss.exe services.exe smss.exe services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe

Modifies visibility of file extensions in Explorer 2 TTPs 17 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

smss.exe winlogon.exe lsass.exe csrss.exe services.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe smss.exe services.exe csrss.exe lsass.exe hama.exeservices.exe smss.exe services.exe csrss.exesmss.exe csrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hama.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 17 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

smss.exe services.exe hama.exeservices.exe smss.exe lsass.exe csrss.exe csrss.exe smss.exe services.exe csrss.exe services.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe winlogon.exe csrss.exesmss.exe lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hama.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

UAC bypass 3 TTPs 15 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lsass.exe services.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe smss.exe csrss.exe csrss.exe smss.exe services.exe services.exe lsass.exe winlogon.exe smss.exe csrss.exe smss.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Disables RegEdit via registry modification 15 IoCs

evasion

Processes:

services.exe smss.exe csrss.exe lsass.exe smss.exe csrss.exe winlogon.exe smss.exe csrss.exe services.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe smss.exe services.exe lsass.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe csrss.execsrss.exe csrss.execsrss.exe hama.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe smss.exesmss.exe lsass.exelsass.execsrss.exelsass.exe lsass.exe csrss.exe smss.exeservices.exeservices.exeservices.exe services.exe smss.exe services.exewinlogon.exeservices.exe winlogon.exelsass.exelsass.exe winlogon.exewinlogon.exe winlogon.exe services.exewinlogon.exe services.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~~Paraysutki_VM_Community~csrss.exewinlogon.exe~Paraysutki_VM_Community~winlogon.exe csrss.exe smss.exe~Paraysutki_VM_Community~smss.exe lsass.exelsass.exe csrss.execsrss.exe

pid	process
4292	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
4676	csrss.exe
1368	csrss.exe
5104	csrss.exe
1384	csrss.exe
1172	hama.exe
1312	smss.exe
4884	smss.exe
2104	csrss.exe
4048	csrss.exe
4312	smss.exe
4140	smss.exe
4636	lsass.exe
216	lsass.exe
3896	csrss.exe
3680	csrss.exe
5004	smss.exe
4828	smss.exe
4236	lsass.exe
3084	lsass.exe
3928	services.exe
1276	services.exe
2232	smss.exe
2200	smss.exe
4684	lsass.exe
1248	lsass.exe
312	csrss.exe
3428	lsass.exe
2480	lsass.exe
4576	csrss.exe
1596	smss.exe
4984	services.exe
1996	services.exe
4960	services.exe
3156	services.exe
2896	smss.exe
3432	services.exe
2512	winlogon.exe
2740	services.exe
2616	winlogon.exe
4320	lsass.exe
5008	lsass.exe
752	winlogon.exe
1636	winlogon.exe
4632	winlogon.exe
4400	services.exe
2748	winlogon.exe
4144	services.exe
5080	winlogon.exe
4640	winlogon.exe
1336	~Paraysutki_VM_Community~
4380	~Paraysutki_VM_Community~
1924	csrss.exe
1388	winlogon.exe
1668	~Paraysutki_VM_Community~
1896	winlogon.exe
4184	csrss.exe
328	smss.exe
4868	~Paraysutki_VM_Community~
4140	smss.exe
768	lsass.exe
3540	lsass.exe
2748	csrss.exe
2512	csrss.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

smss.exe csrss.exe lsass.exe winlogon.exe services.exe csrss.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe services.exe csrss.exe smss.exe services.exe smss.exe smss.exe lsass.exe services.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	smss.exe

Loads dropped DLL 64 IoCs

Processes:

csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe smss.exesmss.exe lsass.exelsass.execsrss.exelsass.exe lsass.exe csrss.exe smss.exeservices.exeservices.exeservices.exe smss.exe services.exe services.exewinlogon.exeservices.exe winlogon.exelsass.exelsass.exe winlogon.exewinlogon.exe winlogon.exe services.exewinlogon.exe services.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~~Paraysutki_VM_Community~csrss.exewinlogon.exe~Paraysutki_VM_Community~winlogon.exe csrss.exe smss.exe~Paraysutki_VM_Community~smss.exe lsass.exelsass.exe csrss.execsrss.exe csrss.execsrss.exe

pid	process
4676	csrss.exe
1368	csrss.exe
5104	csrss.exe
1384	csrss.exe
1312	smss.exe
4884	smss.exe
2104	csrss.exe
4048	csrss.exe
4312	smss.exe
4140	smss.exe
4636	lsass.exe
216	lsass.exe
3896	csrss.exe
3680	csrss.exe
5004	smss.exe
4828	smss.exe
4236	lsass.exe
3084	lsass.exe
3928	services.exe
1276	services.exe
2232	smss.exe
2200	smss.exe
4684	lsass.exe
1248	lsass.exe
312	csrss.exe
3428	lsass.exe
2480	lsass.exe
4576	csrss.exe
1596	smss.exe
4984	services.exe
1996	services.exe
4960	services.exe
2896	smss.exe
3156	services.exe
3432	services.exe
2512	winlogon.exe
2740	services.exe
2616	winlogon.exe
4320	lsass.exe
5008	lsass.exe
752	winlogon.exe
1636	winlogon.exe
4632	winlogon.exe
4400	services.exe
2748	winlogon.exe
4144	services.exe
5080	winlogon.exe
4640	winlogon.exe
1336	~Paraysutki_VM_Community~
4380	~Paraysutki_VM_Community~
1924	csrss.exe
1388	winlogon.exe
1668	~Paraysutki_VM_Community~
1896	winlogon.exe
4184	csrss.exe
328	smss.exe
4868	~Paraysutki_VM_Community~
4140	smss.exe
768	lsass.exe
3540	lsass.exe
2748	csrss.exe
2512	csrss.exe
5072	csrss.exe
4904	csrss.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

services.exe services.exe csrss.exe csrss.exe smss.exe smss.exe smss.exe csrss.exe lsass.exe services.exe lsass.exe services.exe hama.exesmss.exe winlogon.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe

Checks whether UAC is enabled 1 TTPs 15 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

services.exe services.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe smss.exe csrss.exe csrss.exe lsass.exe winlogon.exe services.exe smss.exe services.exe lsass.exe csrss.exe smss.exe smss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

hama.exe

description	ioc	process
File opened (read-only)	\??\G:	hama.exe
File opened (read-only)	\??\N:	hama.exe
File opened (read-only)	\??\R:	hama.exe
File opened (read-only)	\??\U:	hama.exe
File opened (read-only)	\??\S:	hama.exe
File opened (read-only)	\??\X:	hama.exe
File opened (read-only)	\??\Y:	hama.exe
File opened (read-only)	\??\Z:	hama.exe
File opened (read-only)	\??\F:	hama.exe
File opened (read-only)	\??\I:	hama.exe
File opened (read-only)	\??\K:	hama.exe
File opened (read-only)	\??\P:	hama.exe
File opened (read-only)	\??\T:	hama.exe
File opened (read-only)	\??\W:	hama.exe
File opened (read-only)	\??\H:	hama.exe
File opened (read-only)	\??\J:	hama.exe
File opened (read-only)	\??\L:	hama.exe
File opened (read-only)	\??\Q:	hama.exe
File opened (read-only)	\??\V:	hama.exe
File opened (read-only)	\??\B:	hama.exe
File opened (read-only)	\??\E:	hama.exe
File opened (read-only)	\??\M:	hama.exe
File opened (read-only)	\??\O:	hama.exe

Drops file in System32 directory 64 IoCs

Processes:

smss.exe lsass.exe services.exe services.exe lsass.exe services.exe smss.exe services.exe~Paraysutki_VM_Community~winlogon.exe smss.exe smss.exeservices.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe csrss.execsrss.execsrss.exe services.exewinlogon.exelsass.execsrss.exesmss.execsrss.exe csrss.exe csrss.exelsass.exesmss.exe hama.exewinlogon.exesmss.exeConhost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	hama.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Conhost.exe

Drops file in Program Files directory 27 IoCs

Processes:

hama.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	hama.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	hama.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	hama.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	hama.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	hama.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	hama.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	hama.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	hama.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	hama.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	hama.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	hama.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	hama.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	hama.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	hama.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	hama.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	hama.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	hama.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	hama.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	hama.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	hama.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	hama.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	hama.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	hama.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	hama.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	hama.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	hama.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	hama.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

services.exe smss.exe services.exe lsass.exe smss.exe lsass.exe services.exe smss.exe smss.exe services.exe csrss.exe winlogon.exe csrss.exe csrss.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	services.exe

Modifies registry class 64 IoCs

Processes:

csrss.exehama.exesmss.exe smss.exe services.exe lsass.exe csrss.exe services.exe smss.exe services.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe csrss.exe lsass.exe smss.exe csrss.exe services.exe winlogon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	hama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	hama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	hama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	hama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	hama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	hama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	hama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe

Runs ping.exe 1 TTPs 45 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
3424	ping.exe
3684	ping.exe
6080	ping.exe
5944	ping.exe
5864	ping.exe
5696	ping.exe
4632	ping.exe
6872	ping.exe
4512	ping.exe
4972	ping.exe
5068	ping.exe
3480	ping.exe
3700	ping.exe
6864	ping.exe
60	ping.exe
1740	ping.exe
1536	ping.exe
5704	ping.exe
5476	ping.exe
4264	ping.exe
1320	ping.exe
5736	ping.exe
5912	ping.exe
5492	ping.exe
6428	ping.exe
4520	ping.exe
1248	ping.exe
6104	ping.exe
6096	ping.exe
5840	ping.exe
1604	ping.exe
5776	ping.exe
6420	ping.exe
3456	ping.exe
3924	ping.exe
4408	ping.exe
4736	ping.exe
6404	ping.exe
5680	ping.exe
6856	ping.exe
3412	ping.exe
3736	ping.exe
212	ping.exe
3676	ping.exe
3972	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exe

pid	process
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
4676	csrss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe
1312	smss.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
4412	rundll32.exe
4132	rundll32.exe
4656	rundll32.exe
4024	rundll32.exe
1644	rundll32.exe
1668	rundll32.exe
3368	rundll32.exe
2408	rundll32.exe
5588	rundll32.exe
6024	rundll32.exe
5868	rundll32.exe
4616	rundll32.exe
3496	rundll32.exe
6356	rundll32.exe
6748	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exebbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe csrss.execsrss.exe csrss.execsrss.exe hama.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe smss.exesmss.exe lsass.exelsass.exelsass.exe csrss.exelsass.exe csrss.exe services.exeservices.exesmss.exeservices.exe services.exe services.exesmss.exe winlogon.exewinlogon.exeservices.exe lsass.exelsass.exe winlogon.exewinlogon.exe services.exewinlogon.exe winlogon.exe winlogon.exeservices.exe winlogon.exe ~Paraysutki_VM_Community~winlogon.exe~Paraysutki_VM_Community~csrss.exe~Paraysutki_VM_Community~winlogon.exe csrss.exe smss.exe~Paraysutki_VM_Community~smss.exe lsass.exelsass.exe csrss.exe

pid	process
4248	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
4292	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
4676	csrss.exe
1368	csrss.exe
5104	csrss.exe
1384	csrss.exe
1172	hama.exe
1312	smss.exe
4884	smss.exe
2104	csrss.exe
4048	csrss.exe
4312	smss.exe
4140	smss.exe
4636	lsass.exe
216	lsass.exe
3896	csrss.exe
3680	csrss.exe
5004	smss.exe
4828	smss.exe
4236	lsass.exe
3084	lsass.exe
3928	services.exe
1276	services.exe
2232	smss.exe
2200	smss.exe
4684	lsass.exe
1248	lsass.exe
3428	lsass.exe
312	csrss.exe
2480	lsass.exe
4576	csrss.exe
1996	services.exe
4984	services.exe
1596	smss.exe
4960	services.exe
3156	services.exe
3432	services.exe
2896	smss.exe
2512	winlogon.exe
2616	winlogon.exe
2740	services.exe
4320	lsass.exe
5008	lsass.exe
752	winlogon.exe
1636	winlogon.exe
4400	services.exe
4632	winlogon.exe
2748	winlogon.exe
5080	winlogon.exe
4144	services.exe
4640	winlogon.exe
1336	~Paraysutki_VM_Community~
1388	winlogon.exe
4380	~Paraysutki_VM_Community~
1924	csrss.exe
1668	~Paraysutki_VM_Community~
1896	winlogon.exe
4184	csrss.exe
328	smss.exe
4868	~Paraysutki_VM_Community~
4140	smss.exe
768	lsass.exe
3540	lsass.exe
2748	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4248 wrote to memory of 4292	4248	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
PID 4248 wrote to memory of 4292	4248	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
PID 4248 wrote to memory of 4292	4248	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
PID 4292 wrote to memory of 4676	4292	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe	csrss.exe
PID 4292 wrote to memory of 4676	4292	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe	csrss.exe
PID 4292 wrote to memory of 4676	4292	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe	csrss.exe
PID 4676 wrote to memory of 1368	4676	csrss.exe	csrss.exe
PID 4676 wrote to memory of 1368	4676	csrss.exe	csrss.exe
PID 4676 wrote to memory of 1368	4676	csrss.exe	csrss.exe
PID 1368 wrote to memory of 5104	1368	csrss.exe	csrss.exe
PID 1368 wrote to memory of 5104	1368	csrss.exe	csrss.exe
PID 1368 wrote to memory of 5104	1368	csrss.exe	csrss.exe
PID 5104 wrote to memory of 1384	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 1384	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 1384	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 1172	5104	csrss.exe	hama.exe
PID 5104 wrote to memory of 1172	5104	csrss.exe	hama.exe
PID 5104 wrote to memory of 1172	5104	csrss.exe	hama.exe
PID 1368 wrote to memory of 1312	1368	csrss.exe	smss.exe
PID 1368 wrote to memory of 1312	1368	csrss.exe	smss.exe
PID 1368 wrote to memory of 1312	1368	csrss.exe	smss.exe
PID 1312 wrote to memory of 4884	1312	smss.exe	smss.exe
PID 1312 wrote to memory of 4884	1312	smss.exe	smss.exe
PID 1312 wrote to memory of 4884	1312	smss.exe	smss.exe
PID 4884 wrote to memory of 2104	4884	smss.exe	csrss.exe
PID 4884 wrote to memory of 2104	4884	smss.exe	csrss.exe
PID 4884 wrote to memory of 2104	4884	smss.exe	csrss.exe
PID 2104 wrote to memory of 4048	2104	csrss.exe	csrss.exe
PID 2104 wrote to memory of 4048	2104	csrss.exe	csrss.exe
PID 2104 wrote to memory of 4048	2104	csrss.exe	csrss.exe
PID 4884 wrote to memory of 4312	4884	smss.exe	smss.exe
PID 4884 wrote to memory of 4312	4884	smss.exe	smss.exe
PID 4884 wrote to memory of 4312	4884	smss.exe	smss.exe
PID 4312 wrote to memory of 4140	4312	smss.exe	smss.exe
PID 4312 wrote to memory of 4140	4312	smss.exe	smss.exe
PID 4312 wrote to memory of 4140	4312	smss.exe	smss.exe
PID 4884 wrote to memory of 4636	4884	smss.exe	lsass.exe
PID 4884 wrote to memory of 4636	4884	smss.exe	lsass.exe
PID 4884 wrote to memory of 4636	4884	smss.exe	lsass.exe
PID 4636 wrote to memory of 216	4636	lsass.exe	lsass.exe
PID 4636 wrote to memory of 216	4636	lsass.exe	lsass.exe
PID 4636 wrote to memory of 216	4636	lsass.exe	lsass.exe
PID 216 wrote to memory of 3896	216	lsass.exe	csrss.exe
PID 216 wrote to memory of 3896	216	lsass.exe	csrss.exe
PID 216 wrote to memory of 3896	216	lsass.exe	csrss.exe
PID 3896 wrote to memory of 3680	3896	csrss.exe	csrss.exe
PID 3896 wrote to memory of 3680	3896	csrss.exe	csrss.exe
PID 3896 wrote to memory of 3680	3896	csrss.exe	csrss.exe
PID 216 wrote to memory of 5004	216	lsass.exe	smss.exe
PID 216 wrote to memory of 5004	216	lsass.exe	smss.exe
PID 216 wrote to memory of 5004	216	lsass.exe	smss.exe
PID 5004 wrote to memory of 4828	5004	smss.exe	smss.exe
PID 5004 wrote to memory of 4828	5004	smss.exe	smss.exe
PID 5004 wrote to memory of 4828	5004	smss.exe	smss.exe
PID 216 wrote to memory of 4236	216	lsass.exe	lsass.exe
PID 216 wrote to memory of 4236	216	lsass.exe	lsass.exe
PID 216 wrote to memory of 4236	216	lsass.exe	lsass.exe
PID 4236 wrote to memory of 3084	4236	lsass.exe	lsass.exe
PID 4236 wrote to memory of 3084	4236	lsass.exe	lsass.exe
PID 4236 wrote to memory of 3084	4236	lsass.exe	lsass.exe
PID 216 wrote to memory of 3928	216	lsass.exe	services.exe
PID 216 wrote to memory of 3928	216	lsass.exe	services.exe
PID 216 wrote to memory of 3928	216	lsass.exe	services.exe
PID 3928 wrote to memory of 1276	3928	services.exe	services.exe

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

smss.exe bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe csrss.exe smss.exe services.exe smss.exe services.exe lsass.exe winlogon.exe csrss.exe csrss.exe services.exe smss.exe lsass.exe services.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe

C:\Users\Admin\AppData\Local\Temp\bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
"C:\Users\Admin\AppData\Local\Temp\bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Local\Temp\bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
C:\Users\Admin\AppData\Local\Temp\bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4292

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1368

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1384

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\hama.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\hama.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4884

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4140

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:216

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1276

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:312

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4320

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
11⤵
- Suspicious use of FindShellTrayWindow
PID:4024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
11⤵
PID:1396

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
11⤵
- Runs ping.exe
PID:1320

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:60

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:3456

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
11⤵
PID:3184

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
11⤵
PID:5100

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
11⤵
PID:3736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
11⤵
PID:5116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
11⤵
PID:4636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
- Suspicious use of FindShellTrayWindow
PID:4656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
9⤵
PID:2636

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
9⤵
- Runs ping.exe
PID:4512

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:3412

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:4972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
9⤵
PID:1432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
9⤵
PID:2548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
9⤵
PID:2480

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
9⤵
PID:2768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
9⤵
PID:3008

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3432

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:752

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:4132

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:4828

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:4264

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4520

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:1736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:1604

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:3384

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:3124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:4032

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:3424

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3428

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:4412

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:4808

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:1816

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:3672

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:2884

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:4780

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:4556

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:5068

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1740

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:3480

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:328

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4140

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:768

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3540

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:2512

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
- Loads dropped DLL
PID:5072

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
- Loads dropped DLL
PID:4904

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
PID:3464

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:4356

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
11⤵
PID:4064

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
12⤵
PID:2436

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
11⤵
PID:1336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
12⤵
PID:5020

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
11⤵
PID:212

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
12⤵
PID:4876

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
11⤵
- Drops file in System32 directory
PID:3972

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:4296

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
13⤵
PID:2360

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
14⤵
PID:3640

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
13⤵
PID:408

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
14⤵
PID:2348

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
13⤵
PID:2248

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
14⤵
PID:1604

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
13⤵
- Drops file in System32 directory
PID:1312

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
14⤵
PID:4780

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
13⤵
PID:1472

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
14⤵
PID:3384

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
13⤵
PID:3604

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
13⤵
- Suspicious use of FindShellTrayWindow
PID:1644

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
13⤵
PID:216

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
13⤵
- Runs ping.exe
PID:3924

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
13⤵
PID:4224

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:4408

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:3736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
13⤵
PID:1532

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
13⤵
PID:4864

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
13⤵
PID:1420

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
13⤵
PID:4064

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
11⤵
PID:4912

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
11⤵
PID:5072

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
11⤵
- Suspicious use of FindShellTrayWindow
PID:1668

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
11⤵
PID:1476

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
11⤵
PID:2408

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
11⤵
- Runs ping.exe
PID:3684

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:212

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:3676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
11⤵
PID:2788

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
11⤵
PID:1472

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
11⤵
PID:100

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
11⤵
PID:3052

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
PID:2160

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
9⤵
PID:4556

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:1388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
11⤵
PID:2408

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
12⤵
PID:4296

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
11⤵
- Drops file in System32 directory
PID:1616

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:4748

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
13⤵
PID:3612

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
14⤵
PID:2548

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
13⤵
PID:4364

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
14⤵
PID:2768

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
13⤵
PID:1816

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
14⤵
PID:4664

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
13⤵
PID:1248

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
14⤵
PID:2768

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
13⤵
PID:4000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
14⤵
PID:4664

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
13⤵
PID:1604

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
13⤵
- Suspicious use of FindShellTrayWindow
PID:2408

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
13⤵
PID:5128

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
13⤵
- Runs ping.exe
PID:4736

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:1604

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:1248

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
13⤵
PID:5216

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
13⤵
PID:5280

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
13⤵
PID:5308

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
13⤵
PID:5324

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
13⤵
PID:5368

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
11⤵
- Drops file in System32 directory
PID:4552

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
12⤵
PID:5232

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
11⤵
PID:5336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
12⤵
PID:5388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
11⤵
PID:5464

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
12⤵
PID:5492

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
11⤵
PID:5540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
11⤵
- Suspicious use of FindShellTrayWindow
PID:5588

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
11⤵
PID:5712

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
11⤵
- Runs ping.exe
PID:5704

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:5696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
11⤵
PID:5800

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:5680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
11⤵
PID:5844

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
12⤵
PID:5116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
11⤵
PID:5892

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
11⤵
PID:5936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
11⤵
PID:5980

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
9⤵
PID:5688

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
10⤵
PID:5824

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
9⤵
PID:5912

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
- Suspicious use of FindShellTrayWindow
PID:6024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
9⤵
PID:6112

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
9⤵
- Runs ping.exe
PID:6104

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
9⤵
PID:5168

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:6096

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:6080

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
9⤵
PID:5252

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
9⤵
PID:4684

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
9⤵
PID:5392

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
9⤵
PID:5516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Drops file in System32 directory
PID:6088

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5232

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
PID:5476

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
PID:5736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:5336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:5936

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
PID:5800

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
PID:2644

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
PID:5920

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
PID:4616

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
9⤵
PID:6136

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
10⤵
PID:1804

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
9⤵
PID:4336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
10⤵
PID:5504

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
9⤵
PID:5756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
- Suspicious use of FindShellTrayWindow
PID:5868

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
9⤵
PID:6072

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
9⤵
PID:5348

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
9⤵
PID:5316

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
9⤵
- Runs ping.exe
PID:5840

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:5912

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:5944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
9⤵
PID:5504

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
9⤵
PID:3496

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
9⤵
PID:5128

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
PID:5864

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
PID:4336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
PID:100

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
PID:768

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
PID:5596

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
PID:2736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:3496

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:5324

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:5492

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:5864

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:5736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:6180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:6220

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:6236

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:6288

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:6308

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
PID:5096

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5308

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Drops file in System32 directory
PID:5460

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5556

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
PID:5772

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
PID:220

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
PID:5864

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
PID:5976

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
PID:6136

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
PID:6040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
PID:1444

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
9⤵
PID:1596

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
10⤵
PID:5516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
9⤵
PID:5116

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
10⤵
PID:4632

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
9⤵
- Drops file in System32 directory
PID:2812

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
- Suspicious use of FindShellTrayWindow
PID:4616

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
9⤵
PID:5488

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
9⤵
PID:5300

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
9⤵
PID:3920

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
9⤵
PID:5180

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
9⤵
- Runs ping.exe
PID:4632

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:5476

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:5776

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
9⤵
PID:3952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
9⤵
PID:5488

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
PID:5844

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
PID:5864

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
PID:5316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Drops file in System32 directory
PID:2736

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
PID:5116

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
PID:5628

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Drops file in System32 directory
PID:5540

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
PID:3920

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
PID:6244

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:6356

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:6436

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:6540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:6600

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:6428

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:6652

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:6612

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:6420

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:6404

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:6704

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
PID:6624

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
PID:6412

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:6748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:6880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:6980

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:6872

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:6864

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:6856

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:7024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:7060

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:7076

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:7112

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
3⤵
PID:4596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
- Suspicious use of FindShellTrayWindow
PID:3368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
3⤵
PID:4320

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
3⤵
- Runs ping.exe
PID:3700

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:3972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
3⤵
PID:3444

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:1536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
3⤵
PID:2360

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
3⤵
PID:4596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
3⤵
PID:1604

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
3⤵
PID:2548

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
1⤵
PID:3336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
1⤵
PID:2548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3336

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
1⤵
PID:6528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbd30448ede77ec13e6ba1ec3342707557ef7f9c3f8e31e52ff2973a84310ad8.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\hama.exe

Filesize
76KB

MD5
0a7f06585ac3e680cd87b4c48822377c

SHA1
fc7b84bf6488beb8f482a7e2c1e9474bd80499d4

SHA256
45498893b95fc653128ae6c53bacb4feb0c24f28586b1cf3eb49e4fcf7ad1ac3

SHA512
385d9fa4a64a969c10620eee2c552374e094041d58c23b122debefe69b23277a367adaa4291f803118c4fde63043aab5847bbac76ed9336510861c70f529fdb1

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
ee74216b38c241d543ddabcea763f889

SHA1
17b0a9b818df2956e0486d5cbacfcbf1a10bc4a7

SHA256
a4681c924a5a2f468ec0d6e82b58ad337381d5d6cddb44560d0ea432e7eb55b5

SHA512
d196018c328016c447b0349e1d0d23c11d3b77e58faceb7795e380e0e1a68ddf312ced49a583d0c83e8553437917813f662e8206e1926f472f011581936a7af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
b5555e21c0ae4bafcdaebb48096ff1c6

SHA1
18919d2f145cbb422cfffafa70037782c8affcb3

SHA256
a26796f9226a9758f9811a1be4cfd0cc0c7b63ecc25cdee370583079bdffbbc6

SHA512
ebd1344784de7fcf47f09b4ad7baa762b9f7ab445b8559b97c3047e424c32752ab29be532640f7f61b33d065284765293beead3b11d4c750c337157538b0e850

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\hama.exe

Filesize
76KB

MD5
0a7f06585ac3e680cd87b4c48822377c

SHA1
fc7b84bf6488beb8f482a7e2c1e9474bd80499d4

SHA256
45498893b95fc653128ae6c53bacb4feb0c24f28586b1cf3eb49e4fcf7ad1ac3

SHA512
385d9fa4a64a969c10620eee2c552374e094041d58c23b122debefe69b23277a367adaa4291f803118c4fde63043aab5847bbac76ed9336510861c70f529fdb1

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/216-222-0x0000000000000000-mapping.dmp

Download
memory/216-331-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/216-228-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/216-418-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/312-287-0x0000000000000000-mapping.dmp

Download
memory/328-402-0x0000000000000000-mapping.dmp

Download
memory/752-349-0x0000000000000000-mapping.dmp

Download
memory/1172-172-0x0000000000000000-mapping.dmp

Download
memory/1248-286-0x0000000000000000-mapping.dmp

Download
memory/1276-271-0x0000000000000000-mapping.dmp

Download
memory/1276-424-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1276-274-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1276-387-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1312-179-0x0000000000000000-mapping.dmp

Download
memory/1336-374-0x0000000000000000-mapping.dmp

Download
memory/1368-282-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1368-148-0x0000000000000000-mapping.dmp

Download
memory/1368-421-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1368-158-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1384-171-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1384-166-0x0000000000000000-mapping.dmp

Download
memory/1388-510-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1388-382-0x0000000000000000-mapping.dmp

Download
memory/1596-308-0x0000000000000000-mapping.dmp

Download
memory/1604-476-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1636-359-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1636-350-0x0000000000000000-mapping.dmp

Download
memory/1636-509-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-385-0x0000000000000000-mapping.dmp

Download
memory/1896-404-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1896-394-0x0000000000000000-mapping.dmp

Download
memory/1924-377-0x0000000000000000-mapping.dmp

Download
memory/1996-311-0x0000000000000000-mapping.dmp

Download
memory/2104-191-0x0000000000000000-mapping.dmp

Download
memory/2200-291-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2200-279-0x0000000000000000-mapping.dmp

Download
memory/2200-283-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-276-0x0000000000000000-mapping.dmp

Download
memory/2348-471-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2436-446-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2480-307-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2480-304-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2480-295-0x0000000000000000-mapping.dmp

Download
memory/2512-440-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2512-330-0x0000000000000000-mapping.dmp

Download
memory/2548-503-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2548-525-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2616-336-0x0000000000000000-mapping.dmp

Download
memory/2740-354-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2740-333-0x0000000000000000-mapping.dmp

Download
memory/2748-380-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2748-363-0x0000000000000000-mapping.dmp

Download
memory/2768-530-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2896-320-0x0000000000000000-mapping.dmp

Download
memory/2896-337-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3084-259-0x0000000000000000-mapping.dmp

Download
memory/3084-264-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3156-334-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3156-319-0x0000000000000000-mapping.dmp

Download
memory/3336-493-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3384-486-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3428-303-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3428-306-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3428-289-0x0000000000000000-mapping.dmp

Download
memory/3432-321-0x0000000000000000-mapping.dmp

Download
memory/3540-426-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3640-466-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3680-235-0x0000000000000000-mapping.dmp

Download
memory/3680-240-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3896-229-0x0000000000000000-mapping.dmp

Download
memory/3928-265-0x0000000000000000-mapping.dmp

Download
memory/4024-416-0x0000000000000000-mapping.dmp

Download
memory/4048-197-0x0000000000000000-mapping.dmp

Download
memory/4048-202-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4132-403-0x0000000000000000-mapping.dmp

Download
memory/4140-411-0x0000000000000000-mapping.dmp

Download
memory/4140-417-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4140-210-0x0000000000000000-mapping.dmp

Download
memory/4140-215-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4144-365-0x0000000000000000-mapping.dmp

Download
memory/4144-378-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4184-408-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4184-396-0x0000000000000000-mapping.dmp

Download
memory/4236-253-0x0000000000000000-mapping.dmp

Download
memory/4292-134-0x0000000000000000-mapping.dmp

Download
memory/4292-275-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4292-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4292-513-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4296-516-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4296-496-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4296-459-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4312-204-0x0000000000000000-mapping.dmp

Download
memory/4320-338-0x0000000000000000-mapping.dmp

Download
memory/4356-441-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4356-507-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4380-376-0x0000000000000000-mapping.dmp

Download
memory/4400-352-0x0000000000000000-mapping.dmp

Download
memory/4412-406-0x0000000000000000-mapping.dmp

Download
memory/4576-300-0x0000000000000000-mapping.dmp

Download
memory/4576-305-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4576-310-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4632-351-0x0000000000000000-mapping.dmp

Download
memory/4632-379-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4636-216-0x0000000000000000-mapping.dmp

Download
memory/4640-388-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4640-373-0x0000000000000000-mapping.dmp

Download
memory/4656-405-0x0000000000000000-mapping.dmp

Download
memory/4664-535-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4676-140-0x0000000000000000-mapping.dmp

Download
memory/4684-284-0x0000000000000000-mapping.dmp

Download
memory/4780-481-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4828-252-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4828-247-0x0000000000000000-mapping.dmp

Download
memory/4868-407-0x0000000000000000-mapping.dmp

Download
memory/4876-456-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4884-203-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4884-420-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4884-185-0x0000000000000000-mapping.dmp

Download
memory/4904-435-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4960-328-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4960-318-0x0000000000000000-mapping.dmp

Download
memory/4984-309-0x0000000000000000-mapping.dmp

Download
memory/5004-241-0x0000000000000000-mapping.dmp

Download
memory/5008-346-0x0000000000000000-mapping.dmp

Download
memory/5008-353-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5020-451-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5080-366-0x0000000000000000-mapping.dmp

Download
memory/5104-160-0x0000000000000000-mapping.dmp

Download