b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0

Analysis

max time kernel
236s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Size

205KB
MD5

2671fcc2382dd3ce49b21d3e8f7bbdde
SHA1

2336eeb46dd03780af260fabb49a845bf0367fd0
SHA256

b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0
SHA512

8a40738ab711ac49c8513836a75ab422d168a918ae7bf3146c9ff1cca7ceb4c2be6c4c44927dcf51b409708010af08f1a2ad91f94aed264bad8d2e7d6b17266c
SSDEEP

3072:MqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:MqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exedswp.execsrss.exescag.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	dswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scag.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exedswp.execsrss.exescag.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dswp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	scag.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exedswp.execsrss.exescag.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dswp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	scag.exe

Executes dropped EXE 39 IoCs

Processes:

b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe dswp.execsrss.execsrss.exe csrss.execsrss.exe scag.exesmss.exesmss.exesmss.exe smss.exe lsass.exelsass.exeservices.exeservices.exelsass.exe lsass.exe csrss.execsrss.exe smss.exewinlogon.exesmss.exe services.exe services.exe winlogon.execsrss.exelsass.execsrss.exe lsass.exe smss.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~services.execsrss.exeservices.exe smss.exe lsass.execsrss.exe lsass.exe

pid	process
3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
1548	dswp.exe
4388	csrss.exe
928	csrss.exe
3780	csrss.exe
2940	csrss.exe
4940	scag.exe
4752	smss.exe
4400	smss.exe
5000	smss.exe
4804	smss.exe
3412	lsass.exe
3984	lsass.exe
1296	services.exe
4876	services.exe
1892	lsass.exe
1752	lsass.exe
2432	csrss.exe
748	csrss.exe
4024	smss.exe
772	winlogon.exe
4928	smss.exe
4308	services.exe
4868	services.exe
332	winlogon.exe
4736	csrss.exe
4784	lsass.exe
3616	csrss.exe
3788	lsass.exe
4900	smss.exe
1392	~Paraysutki_VM_Community~
4008	~Paraysutki_VM_Community~
1680	services.exe
4816	csrss.exe
3168	services.exe
4408	smss.exe
2472	lsass.exe
664	csrss.exe
3476	lsass.exe

Loads dropped DLL 36 IoCs

Processes:

csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exelsass.exesmss.exe lsass.exesmss.exe services.exeservices.exelsass.exe lsass.exe csrss.execsrss.exe smss.exesmss.exe winlogon.exeservices.exe services.exe winlogon.execsrss.exelsass.execsrss.exe lsass.exe smss.exeservices.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~csrss.exeservices.exe smss.exe lsass.execsrss.exe lsass.exe

pid	process
4388	csrss.exe
928	csrss.exe
3780	csrss.exe
2940	csrss.exe
4752	smss.exe
4400	smss.exe
3984	lsass.exe
4804	smss.exe
3412	lsass.exe
5000	smss.exe
4876	services.exe
1296	services.exe
1892	lsass.exe
1752	lsass.exe
2432	csrss.exe
748	csrss.exe
4024	smss.exe
4928	smss.exe
772	winlogon.exe
4308	services.exe
4868	services.exe
332	winlogon.exe
4736	csrss.exe
4784	lsass.exe
3616	csrss.exe
3788	lsass.exe
4900	smss.exe
1680	services.exe
4008	~Paraysutki_VM_Community~
1392	~Paraysutki_VM_Community~
4816	csrss.exe
3168	services.exe
4408	smss.exe
2472	lsass.exe
664	csrss.exe
3476	lsass.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dswp.execsrss.exescag.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	dswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	scag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	scag.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

scag.exedswp.exe

description	ioc	process
File opened (read-only)	\??\O:	scag.exe
File opened (read-only)	\??\S:	scag.exe
File opened (read-only)	\??\X:	scag.exe
File opened (read-only)	\??\G:	scag.exe
File opened (read-only)	\??\H:	scag.exe
File opened (read-only)	\??\T:	scag.exe
File opened (read-only)	\??\Z:	dswp.exe
File opened (read-only)	\??\P:	scag.exe
File opened (read-only)	\??\B:	scag.exe
File opened (read-only)	\??\F:	scag.exe
File opened (read-only)	\??\W:	scag.exe
File opened (read-only)	\??\O:	dswp.exe
File opened (read-only)	\??\W:	dswp.exe
File opened (read-only)	\??\V:	dswp.exe
File opened (read-only)	\??\E:	scag.exe
File opened (read-only)	\??\M:	dswp.exe
File opened (read-only)	\??\P:	dswp.exe
File opened (read-only)	\??\Y:	dswp.exe
File opened (read-only)	\??\N:	scag.exe
File opened (read-only)	\??\V:	scag.exe
File opened (read-only)	\??\Q:	dswp.exe
File opened (read-only)	\??\T:	dswp.exe
File opened (read-only)	\??\U:	dswp.exe
File opened (read-only)	\??\X:	dswp.exe
File opened (read-only)	\??\J:	scag.exe
File opened (read-only)	\??\K:	scag.exe
File opened (read-only)	\??\F:	dswp.exe
File opened (read-only)	\??\K:	dswp.exe
File opened (read-only)	\??\I:	dswp.exe
File opened (read-only)	\??\J:	dswp.exe
File opened (read-only)	\??\L:	dswp.exe
File opened (read-only)	\??\L:	scag.exe
File opened (read-only)	\??\M:	scag.exe
File opened (read-only)	\??\R:	scag.exe
File opened (read-only)	\??\B:	dswp.exe
File opened (read-only)	\??\E:	dswp.exe
File opened (read-only)	\??\U:	scag.exe
File opened (read-only)	\??\Z:	scag.exe
File opened (read-only)	\??\N:	dswp.exe
File opened (read-only)	\??\R:	dswp.exe
File opened (read-only)	\??\S:	dswp.exe
File opened (read-only)	\??\I:	scag.exe
File opened (read-only)	\??\Q:	scag.exe
File opened (read-only)	\??\Y:	scag.exe
File opened (read-only)	\??\G:	dswp.exe
File opened (read-only)	\??\H:	dswp.exe

Drops file in System32 directory 64 IoCs

Processes:

csrss.exe csrss.exesmss.exe services.exe b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe lsass.execsrss.exelsass.exe lsass.exe~Paraysutki_VM_Community~dswp.exesmss.exesmss.execsrss.exesmss.exescag.exeservices.execsrss.exeb5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	dswp.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	dswp.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\Desktop.sysm	scag.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	scag.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	scag.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	scag.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe

Drops file in Program Files directory 27 IoCs

Processes:

dswp.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	dswp.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	dswp.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	dswp.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	dswp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	dswp.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	dswp.exe

Modifies registry class 64 IoCs

Processes:

scag.exeb5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.execsrss.exedswp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	scag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	scag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	scag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	scag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	dswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	dswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	dswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	scag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	scag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	scag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	scag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	dswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	dswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	scag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	scag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	dswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	dswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	scag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	scag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	scag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	scag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	dswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	dswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	dswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	dswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	dswp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	scag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	dswp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exelsass.exelsass.exe

pid	process
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4388	csrss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
4752	smss.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3412	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe
3984	lsass.exe

Suspicious use of SetWindowsHookEx 40 IoCs

Processes:

b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exeb5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe dswp.execsrss.execsrss.exe csrss.execsrss.exe scag.exesmss.exesmss.exelsass.exelsass.exesmss.exe smss.exe services.exeservices.exelsass.exe lsass.exe csrss.execsrss.exe smss.exeservices.exe winlogon.exeservices.exe winlogon.execsrss.exesmss.exe lsass.execsrss.exe lsass.exe services.exesmss.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~services.exe csrss.exesmss.exe lsass.execsrss.exe lsass.exe

pid	process
3960	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
1548	dswp.exe
4388	csrss.exe
928	csrss.exe
3780	csrss.exe
2940	csrss.exe
4940	scag.exe
4752	smss.exe
4400	smss.exe
3984	lsass.exe
3412	lsass.exe
5000	smss.exe
4804	smss.exe
1296	services.exe
4876	services.exe
1892	lsass.exe
1752	lsass.exe
2432	csrss.exe
748	csrss.exe
4024	smss.exe
4308	services.exe
772	winlogon.exe
4868	services.exe
332	winlogon.exe
4736	csrss.exe
4928	smss.exe
4784	lsass.exe
3616	csrss.exe
3788	lsass.exe
1680	services.exe
4900	smss.exe
4008	~Paraysutki_VM_Community~
1392	~Paraysutki_VM_Community~
3168	services.exe
4816	csrss.exe
4408	smss.exe
2472	lsass.exe
664	csrss.exe
3476	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exeb5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe csrss.execsrss.exe csrss.exesmss.exesmss.exelsass.exelsass.exesmss.exe csrss.exesmss.exe

description	pid	process	target process
PID 3960 wrote to memory of 3672	3960	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
PID 3960 wrote to memory of 3672	3960	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
PID 3960 wrote to memory of 3672	3960	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
PID 3960 wrote to memory of 1548	3960	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	dswp.exe
PID 3960 wrote to memory of 1548	3960	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	dswp.exe
PID 3960 wrote to memory of 1548	3960	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	dswp.exe
PID 3672 wrote to memory of 4388	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	csrss.exe
PID 3672 wrote to memory of 4388	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	csrss.exe
PID 3672 wrote to memory of 4388	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	csrss.exe
PID 4388 wrote to memory of 928	4388	csrss.exe	csrss.exe
PID 4388 wrote to memory of 928	4388	csrss.exe	csrss.exe
PID 4388 wrote to memory of 928	4388	csrss.exe	csrss.exe
PID 928 wrote to memory of 3780	928	csrss.exe	csrss.exe
PID 928 wrote to memory of 3780	928	csrss.exe	csrss.exe
PID 928 wrote to memory of 3780	928	csrss.exe	csrss.exe
PID 3780 wrote to memory of 2940	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 2940	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 2940	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 4940	3780	csrss.exe	scag.exe
PID 3780 wrote to memory of 4940	3780	csrss.exe	scag.exe
PID 3780 wrote to memory of 4940	3780	csrss.exe	scag.exe
PID 928 wrote to memory of 4752	928	csrss.exe	smss.exe
PID 928 wrote to memory of 4752	928	csrss.exe	smss.exe
PID 928 wrote to memory of 4752	928	csrss.exe	smss.exe
PID 3672 wrote to memory of 4400	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	smss.exe
PID 3672 wrote to memory of 4400	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	smss.exe
PID 3672 wrote to memory of 4400	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	smss.exe
PID 4752 wrote to memory of 5000	4752	smss.exe	smss.exe
PID 4752 wrote to memory of 5000	4752	smss.exe	smss.exe
PID 4752 wrote to memory of 5000	4752	smss.exe	smss.exe
PID 4400 wrote to memory of 4804	4400	smss.exe	smss.exe
PID 4400 wrote to memory of 4804	4400	smss.exe	smss.exe
PID 4400 wrote to memory of 4804	4400	smss.exe	smss.exe
PID 928 wrote to memory of 3412	928	csrss.exe	lsass.exe
PID 928 wrote to memory of 3412	928	csrss.exe	lsass.exe
PID 928 wrote to memory of 3412	928	csrss.exe	lsass.exe
PID 3672 wrote to memory of 3984	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	lsass.exe
PID 3672 wrote to memory of 3984	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	lsass.exe
PID 3672 wrote to memory of 3984	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	lsass.exe
PID 928 wrote to memory of 4876	928	csrss.exe	services.exe
PID 928 wrote to memory of 4876	928	csrss.exe	services.exe
PID 928 wrote to memory of 4876	928	csrss.exe	services.exe
PID 3672 wrote to memory of 1296	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	services.exe
PID 3672 wrote to memory of 1296	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	services.exe
PID 3672 wrote to memory of 1296	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	services.exe
PID 3412 wrote to memory of 1892	3412	lsass.exe	lsass.exe
PID 3412 wrote to memory of 1892	3412	lsass.exe	lsass.exe
PID 3412 wrote to memory of 1892	3412	lsass.exe	lsass.exe
PID 3984 wrote to memory of 1752	3984	lsass.exe	lsass.exe
PID 3984 wrote to memory of 1752	3984	lsass.exe	lsass.exe
PID 3984 wrote to memory of 1752	3984	lsass.exe	lsass.exe
PID 4804 wrote to memory of 2432	4804	smss.exe	csrss.exe
PID 4804 wrote to memory of 2432	4804	smss.exe	csrss.exe
PID 4804 wrote to memory of 2432	4804	smss.exe	csrss.exe
PID 2432 wrote to memory of 748	2432	csrss.exe	csrss.exe
PID 2432 wrote to memory of 748	2432	csrss.exe	csrss.exe
PID 2432 wrote to memory of 748	2432	csrss.exe	csrss.exe
PID 4804 wrote to memory of 4024	4804	smss.exe	smss.exe
PID 4804 wrote to memory of 4024	4804	smss.exe	smss.exe
PID 4804 wrote to memory of 4024	4804	smss.exe	smss.exe
PID 4024 wrote to memory of 4928	4024	smss.exe	smss.exe
PID 4024 wrote to memory of 4928	4024	smss.exe	smss.exe
PID 4024 wrote to memory of 4928	4024	smss.exe	smss.exe
PID 3672 wrote to memory of 772	3672	b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
"C:\Users\Admin\AppData\Local\Temp\b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
C:\Users\Admin\AppData\Local\Temp\b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2940

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scag.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\scag.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3616

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3788

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1392

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dswp.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\dswp.exe" b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0
2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5f0e2ae1f7dee054a17ea8482f567670ca397d679480d4fb143151150044db0.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\dswp.exe

Filesize
76KB

MD5
f0b6de0d7d799cc16ccef04034fa7289

SHA1
aecc42337649aa3855b0d7fe55923ef17d57e42c

SHA256
3d6ecb3a5f91e6c10414e67057851f4c56fbea528f3bbf5d32afab6bcbb2340c

SHA512
244bfefa172982ea31f67cfbe8d7ec040994f16cd762484810c7c202bc5784fda17ed7a180dd57d05493724fd9661d77c35658516bd0d2474c2bb3e6f86c9abf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\scag.exe

Filesize
76KB

MD5
a55995980d541e5d95c43f84df244115

SHA1
0ca07e9ab001bd3d573e6946197c13a2bd0de690

SHA256
5b5920f42d97b46afcecafb73d0df09c12fa2047fca99afc70d2604d90e6b543

SHA512
9d5f0bb7f8c4e44c25e7b34cefab256f5b47e66a213c423b03824e873d71a2ce6d798dd145bbd81e3d9bd6fb6d61cf9cc69bd111e7ab8158a03c75ebf3c6585a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
144796b43f486857ed495dacaa9ef861

SHA1
61dd91229c1fc8457cf8084aa2a33ed23b8b4524

SHA256
e87355198be1abb08d062e6db5b56fb9a74b70018f86b402ff5175841d17cf12

SHA512
4784be2330e9a74255cb64d4b86e0edcfec8c382297838f3371c8ce9521c85b24e3417de67a77ba6781e1c66d18296fe5ab9d5828e4df70bc6175765118ab119

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dswp.exe

Filesize
76KB

MD5
f0b6de0d7d799cc16ccef04034fa7289

SHA1
aecc42337649aa3855b0d7fe55923ef17d57e42c

SHA256
3d6ecb3a5f91e6c10414e67057851f4c56fbea528f3bbf5d32afab6bcbb2340c

SHA512
244bfefa172982ea31f67cfbe8d7ec040994f16cd762484810c7c202bc5784fda17ed7a180dd57d05493724fd9661d77c35658516bd0d2474c2bb3e6f86c9abf

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scag.exe

Filesize
76KB

MD5
a55995980d541e5d95c43f84df244115

SHA1
0ca07e9ab001bd3d573e6946197c13a2bd0de690

SHA256
5b5920f42d97b46afcecafb73d0df09c12fa2047fca99afc70d2604d90e6b543

SHA512
9d5f0bb7f8c4e44c25e7b34cefab256f5b47e66a213c423b03824e873d71a2ce6d798dd145bbd81e3d9bd6fb6d61cf9cc69bd111e7ab8158a03c75ebf3c6585a

Download Submit
\??\c:\windows\SysWOW64\CommandPrompt.Sysm

Filesize
76KB

MD5
c398ad455dd6cc2309be92f045d0a932

SHA1
4b447ce5524cb64735ebbf7577673d6d36614dd2

SHA256
cd1986f29cced914e1e8055c3fef812cbc693b9d89089c5aa27d834a5d92a995

SHA512
08bc800d5ba86174e819c46e17691d6ccd8868e327d5e3b960f43d042ccdf28ef3060a4a938a95ede627d562702d5812c1c076c590ce901f8ccbc55c3e540f2d

Download Submit
\??\c:\windows\SysWOW64\Desktop.sysm

Filesize
76KB

MD5
c398ad455dd6cc2309be92f045d0a932

SHA1
4b447ce5524cb64735ebbf7577673d6d36614dd2

SHA256
cd1986f29cced914e1e8055c3fef812cbc693b9d89089c5aa27d834a5d92a995

SHA512
08bc800d5ba86174e819c46e17691d6ccd8868e327d5e3b960f43d042ccdf28ef3060a4a938a95ede627d562702d5812c1c076c590ce901f8ccbc55c3e540f2d

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
fdd264050ede52d72dcaec3ddd7ca33e

SHA1
b2649f5a2ccb22e838c2b9af986313b7e1890bed

SHA256
9b5d31485f5cf1d816c3c02c5d8ac1cdc5338a4ad275f3bd299779d75e44ed7f

SHA512
68b9afed5ea78ca644f149e741d12e923b8b80d37a715c5f39e8d9da2c82983c36b1dc53d38d4f2be30ec523fdd9bebf02ab6f50c8910624068d109e5d9412d1

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
a55995980d541e5d95c43f84df244115

SHA1
0ca07e9ab001bd3d573e6946197c13a2bd0de690

SHA256
5b5920f42d97b46afcecafb73d0df09c12fa2047fca99afc70d2604d90e6b543

SHA512
9d5f0bb7f8c4e44c25e7b34cefab256f5b47e66a213c423b03824e873d71a2ce6d798dd145bbd81e3d9bd6fb6d61cf9cc69bd111e7ab8158a03c75ebf3c6585a

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
c398ad455dd6cc2309be92f045d0a932

SHA1
4b447ce5524cb64735ebbf7577673d6d36614dd2

SHA256
cd1986f29cced914e1e8055c3fef812cbc693b9d89089c5aa27d834a5d92a995

SHA512
08bc800d5ba86174e819c46e17691d6ccd8868e327d5e3b960f43d042ccdf28ef3060a4a938a95ede627d562702d5812c1c076c590ce901f8ccbc55c3e540f2d

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/332-277-0x0000000000000000-mapping.dmp

Download
memory/664-335-0x0000000000000000-mapping.dmp

Download
memory/664-343-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/748-267-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/748-264-0x0000000000000000-mapping.dmp

Download
memory/748-279-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/772-274-0x0000000000000000-mapping.dmp

Download
memory/928-204-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/928-157-0x0000000000000000-mapping.dmp

Download
memory/928-163-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1296-233-0x0000000000000000-mapping.dmp

Download
memory/1392-308-0x0000000000000000-mapping.dmp

Download
memory/1548-142-0x0000000000000000-mapping.dmp

Download
memory/1680-310-0x0000000000000000-mapping.dmp

Download
memory/1752-280-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-272-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-254-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-240-0x0000000000000000-mapping.dmp

Download
memory/1892-271-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1892-239-0x0000000000000000-mapping.dmp

Download
memory/2432-244-0x0000000000000000-mapping.dmp

Download
memory/2472-328-0x0000000000000000-mapping.dmp

Download
memory/2940-178-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2940-181-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2940-175-0x0000000000000000-mapping.dmp

Download
memory/3168-339-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3168-320-0x0000000000000000-mapping.dmp

Download
memory/3412-211-0x0000000000000000-mapping.dmp

Download
memory/3476-344-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3476-336-0x0000000000000000-mapping.dmp

Download
memory/3616-294-0x0000000000000000-mapping.dmp

Download
memory/3616-317-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3616-302-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3672-138-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3672-135-0x0000000000000000-mapping.dmp

Download
memory/3672-141-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3780-169-0x0000000000000000-mapping.dmp

Download
memory/3788-315-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3788-297-0x0000000000000000-mapping.dmp

Download
memory/3788-303-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3984-214-0x0000000000000000-mapping.dmp

Download
memory/4008-309-0x0000000000000000-mapping.dmp

Download
memory/4024-268-0x0000000000000000-mapping.dmp

Download
memory/4308-276-0x0000000000000000-mapping.dmp

Download
memory/4308-305-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-146-0x0000000000000000-mapping.dmp

Download
memory/4400-198-0x0000000000000000-mapping.dmp

Download
memory/4408-342-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4408-324-0x0000000000000000-mapping.dmp

Download
memory/4736-278-0x0000000000000000-mapping.dmp

Download
memory/4752-192-0x0000000000000000-mapping.dmp

Download
memory/4784-292-0x0000000000000000-mapping.dmp

Download
memory/4804-229-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4804-208-0x0000000000000000-mapping.dmp

Download
memory/4816-312-0x0000000000000000-mapping.dmp

Download
memory/4868-318-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4868-275-0x0000000000000000-mapping.dmp

Download
memory/4868-306-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4876-232-0x0000000000000000-mapping.dmp

Download
memory/4900-307-0x0000000000000000-mapping.dmp

Download
memory/4928-304-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4928-273-0x0000000000000000-mapping.dmp

Download
memory/4928-316-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4940-183-0x0000000000000000-mapping.dmp

Download
memory/5000-207-0x0000000000000000-mapping.dmp

Download
memory/5000-228-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5000-213-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5000-260-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download