24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12

Analysis

max time kernel
240s
max time network
248s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Size

127KB
MD5

a1f906cca600c01f6dd03c61b89aafd8
SHA1

d1f299a68712dbfcf307384cc8b78a43d6ed11a3
SHA256

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12
SHA512

d917bd03d27f2f7a4e9ba0bbcf77efc456271765a1d693cfb9a986ee1b313ca4fe44a576897549eaf26a518581dc8c9e1ee2300c54d816acd298040b35856c89
SSDEEP

1536:EnqJu3abBGy3G8V0iuoKTMUYU6U5jUdPQc+n35KZg8/nouy8Iu:EqlMPsgMYjUtQl78vout

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exendsv.execsrss.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exendsv.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ndsv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exendsv.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ndsv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

Executes dropped EXE 36 IoCs

Processes:

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe ndsv.execsrss.exesmss.exesmss.exe csrss.exe lsass.exelsass.exe csrss.execsrss.exeservices.execsrss.exe csrss.exe smss.exesmss.exewinlogon.exeuxdp.exeservices.exe smss.exe smss.exe csrss.execsrss.exe lsass.exelsass.exelsass.exe lsass.exe smss.exeservices.exeservices.execsrss.exewinlogon.exe Paraysutki_VM_Communityservices.exe services.exe csrss.exe smss.exe

pid	process
4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
3164	ndsv.exe
3404	csrss.exe
436	smss.exe
3552	smss.exe
4588	csrss.exe
4700	lsass.exe
1280	lsass.exe
4944	csrss.exe
760	csrss.exe
3992	services.exe
1792	csrss.exe
408	csrss.exe
712	smss.exe
4964	smss.exe
4864	winlogon.exe
3796	uxdp.exe
988	services.exe
3156	smss.exe
3576	smss.exe
1484	csrss.exe
4872	csrss.exe
3740	lsass.exe
1500	lsass.exe
4816	lsass.exe
4856	lsass.exe
4016	smss.exe
3316	services.exe
4032	services.exe
4000	csrss.exe
5064	winlogon.exe
4624	Paraysutki_VM_Community
2932	services.exe
756	services.exe
3292	csrss.exe
4928	smss.exe

Loads dropped DLL 33 IoCs

Processes:

csrss.exesmss.execsrss.exe lsass.exesmss.exe lsass.exe csrss.execsrss.exeservices.exesmss.exesmss.execsrss.exe csrss.exe winlogon.exeservices.exe smss.exe smss.exe csrss.execsrss.exe lsass.exelsass.exelsass.exe lsass.exe services.exesmss.exeservices.execsrss.exewinlogon.exe Paraysutki_VM_Communityservices.exe services.exe csrss.exe smss.exe

pid	process
3404	csrss.exe
436	smss.exe
4588	csrss.exe
4700	lsass.exe
3552	smss.exe
1280	lsass.exe
4944	csrss.exe
760	csrss.exe
3992	services.exe
4964	smss.exe
712	smss.exe
408	csrss.exe
1792	csrss.exe
4864	winlogon.exe
988	services.exe
3156	smss.exe
3576	smss.exe
1484	csrss.exe
4872	csrss.exe
1500	lsass.exe
3740	lsass.exe
4816	lsass.exe
4856	lsass.exe
4032	services.exe
4016	smss.exe
3316	services.exe
4000	csrss.exe
5064	winlogon.exe
4624	Paraysutki_VM_Community
2932	services.exe
756	services.exe
3292	csrss.exe
4928	smss.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

csrss.execsrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csrss.exe

Drops file in System32 directory 64 IoCs

Processes:

ndsv.exeservices.exe 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe lsass.exe services.execsrss.execsrss.exe winlogon.execsrss.exelsass.exesmss.exesmss.exe smss.exesmss.exelsass.exeuxdp.exe24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.execsrss.exeservices.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	ndsv.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	ndsv.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	uxdp.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	ndsv.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe

Drops file in Program Files directory 5 IoCs

Processes:

ndsv.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	ndsv.exe

Modifies registry class 64 IoCs

Processes:

ndsv.execsrss.exe24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exelsass.exe

pid	process
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
3404	csrss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
436	smss.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe
4700	lsass.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe ndsv.execsrss.exesmss.exelsass.exesmss.exe csrss.exe services.exelsass.exe csrss.execsrss.exesmss.exewinlogon.exesmss.exeservices.exe csrss.exe csrss.exe uxdp.exesmss.exe smss.exe csrss.execsrss.exe lsass.exelsass.exelsass.exe lsass.exe services.exeservices.exesmss.exewinlogon.exe csrss.exeservices.exe services.exe Paraysutki_VM_Communitycsrss.exe

pid	process
4140	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
3164	ndsv.exe
3404	csrss.exe
436	smss.exe
4700	lsass.exe
3552	smss.exe
4588	csrss.exe
3992	services.exe
1280	lsass.exe
4944	csrss.exe
760	csrss.exe
4964	smss.exe
4864	winlogon.exe
712	smss.exe
988	services.exe
408	csrss.exe
1792	csrss.exe
3796	uxdp.exe
3156	smss.exe
3576	smss.exe
1484	csrss.exe
4872	csrss.exe
1500	lsass.exe
3740	lsass.exe
4856	lsass.exe
4816	lsass.exe
4032	services.exe
3316	services.exe
4016	smss.exe
5064	winlogon.exe
4000	csrss.exe
2932	services.exe
756	services.exe
4624	Paraysutki_VM_Community
3292	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe smss.execsrss.exelsass.execsrss.exe smss.exe csrss.execsrss.exeservices.exesmss.exesmss.exeservices.exe csrss.exe

description	pid	process	target process
PID 4140 wrote to memory of 4884	4140	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
PID 4140 wrote to memory of 4884	4140	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
PID 4140 wrote to memory of 4884	4140	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
PID 4140 wrote to memory of 3164	4140	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	ndsv.exe
PID 4140 wrote to memory of 3164	4140	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	ndsv.exe
PID 4140 wrote to memory of 3164	4140	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	ndsv.exe
PID 4884 wrote to memory of 3404	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	csrss.exe
PID 4884 wrote to memory of 3404	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	csrss.exe
PID 4884 wrote to memory of 3404	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	csrss.exe
PID 4884 wrote to memory of 436	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	smss.exe
PID 4884 wrote to memory of 436	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	smss.exe
PID 4884 wrote to memory of 436	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	smss.exe
PID 436 wrote to memory of 3552	436	smss.exe	smss.exe
PID 436 wrote to memory of 3552	436	smss.exe	smss.exe
PID 436 wrote to memory of 3552	436	smss.exe	smss.exe
PID 3404 wrote to memory of 4588	3404	csrss.exe	csrss.exe
PID 3404 wrote to memory of 4588	3404	csrss.exe	csrss.exe
PID 3404 wrote to memory of 4588	3404	csrss.exe	csrss.exe
PID 4884 wrote to memory of 4700	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	lsass.exe
PID 4884 wrote to memory of 4700	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	lsass.exe
PID 4884 wrote to memory of 4700	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	lsass.exe
PID 4700 wrote to memory of 1280	4700	lsass.exe	lsass.exe
PID 4700 wrote to memory of 1280	4700	lsass.exe	lsass.exe
PID 4700 wrote to memory of 1280	4700	lsass.exe	lsass.exe
PID 4588 wrote to memory of 4944	4588	csrss.exe	csrss.exe
PID 4588 wrote to memory of 4944	4588	csrss.exe	csrss.exe
PID 4588 wrote to memory of 4944	4588	csrss.exe	csrss.exe
PID 3552 wrote to memory of 760	3552	smss.exe	csrss.exe
PID 3552 wrote to memory of 760	3552	smss.exe	csrss.exe
PID 3552 wrote to memory of 760	3552	smss.exe	csrss.exe
PID 4884 wrote to memory of 3992	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	services.exe
PID 4884 wrote to memory of 3992	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	services.exe
PID 4884 wrote to memory of 3992	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	services.exe
PID 760 wrote to memory of 1792	760	csrss.exe	csrss.exe
PID 760 wrote to memory of 1792	760	csrss.exe	csrss.exe
PID 760 wrote to memory of 1792	760	csrss.exe	csrss.exe
PID 4944 wrote to memory of 408	4944	csrss.exe	csrss.exe
PID 4944 wrote to memory of 408	4944	csrss.exe	csrss.exe
PID 4944 wrote to memory of 408	4944	csrss.exe	csrss.exe
PID 3552 wrote to memory of 712	3552	smss.exe	smss.exe
PID 3552 wrote to memory of 712	3552	smss.exe	smss.exe
PID 3552 wrote to memory of 712	3552	smss.exe	smss.exe
PID 4588 wrote to memory of 4964	4588	csrss.exe	smss.exe
PID 4588 wrote to memory of 4964	4588	csrss.exe	smss.exe
PID 4588 wrote to memory of 4964	4588	csrss.exe	smss.exe
PID 4884 wrote to memory of 4864	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	winlogon.exe
PID 4884 wrote to memory of 4864	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	winlogon.exe
PID 4884 wrote to memory of 4864	4884	24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe	winlogon.exe
PID 3404 wrote to memory of 3796	3404	csrss.exe	uxdp.exe
PID 3404 wrote to memory of 3796	3404	csrss.exe	uxdp.exe
PID 3404 wrote to memory of 3796	3404	csrss.exe	uxdp.exe
PID 3992 wrote to memory of 988	3992	services.exe	services.exe
PID 3992 wrote to memory of 988	3992	services.exe	services.exe
PID 3992 wrote to memory of 988	3992	services.exe	services.exe
PID 4964 wrote to memory of 3576	4964	smss.exe	smss.exe
PID 4964 wrote to memory of 3576	4964	smss.exe	smss.exe
PID 4964 wrote to memory of 3576	4964	smss.exe	smss.exe
PID 712 wrote to memory of 3156	712	smss.exe	smss.exe
PID 712 wrote to memory of 3156	712	smss.exe	smss.exe
PID 712 wrote to memory of 3156	712	smss.exe	smss.exe
PID 988 wrote to memory of 1484	988	services.exe	csrss.exe
PID 988 wrote to memory of 1484	988	services.exe	csrss.exe
PID 988 wrote to memory of 1484	988	services.exe	csrss.exe
PID 1484 wrote to memory of 4872	1484	csrss.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
"C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140

C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
3⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:408

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2932

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\uxdp.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\uxdp.exe" csrss
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1792

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3740

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3292

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4928

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4624

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\ndsv.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\ndsv.exe" 24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12
2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\24bc30fbeef7b9c24a4d31d1e77f5050124217e54df058eeadca4d1b56c9ea12.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ndsv.exe
Filesize
76KB

MD5
76f59bb993494725515ee4d3de077d85

SHA1
6ef5e44bb8d325aa096422506f342ffbd501dd1c

SHA256
fd1bb5169c4cf94b67960075fe8a70e3b4db313c1b459d4e9820bfa2495001a7

SHA512
1c6aa319e2a824146a5e7b5d0da1a6bf18dd7dd6f4f5671e6558336b46cc11a78df3fe7be267e5b80a3e6e213d44861dedc0517f273520855486f0ec09f5cfb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\uxdp.exe
Filesize
76KB

MD5
9b7da2eb601ae3fd27d9590453368490

SHA1
388ff237ac0051c5d311d4e16af0b3d0b06d3677

SHA256
781e7a0b19b05009f966183784f9bf7b8f070e3d0bb9a4e9b2045c5cbc0a0105

SHA512
5c1b562721faa1a6118bd55b3fdb2c7c85982155e8f9b2d0b3ae0c3bdd13f28c7c736217616c8b5f6ff69541b1f71ac17cce0c6e15dc04617390eb56e55a6d49

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
06784c5378e5d7edd9cdd7312568541e

SHA1
5352a5f465f8596e2ea78f1f14151fd2cd91f618

SHA256
2d6133e00be7ebaf90f41ec8b1fafdaf3bea8c62e612fff99514dbc5a37e14bd

SHA512
b6d90ad4e8fd6006e97b6cb41f17997b4095ce3c46d5aec25876231cf5cd1145f7bf731a0172bd8524f9765b82a510516f4ce073cd9a72b8ddf217c11de0eb66

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
Filesize
127KB

MD5
bd2087e1821fb73a07a96c89fcc2d434

SHA1
0355e00ffca3ca8ff2b9c90cc6683f1f327c394a

SHA256
46b34178b0ca1ce853c6ba452ddd4066489d82be5e147b1c39d3478041456387

SHA512
13b9f9e0d6ba56fbfb97c4ffb981800ce38812207698735ff85507a81341e32381347d71e031529cdf9dd057256c891a61efd4e500ebac5e7e71e8de6b880df0

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\ndsv.exe
Filesize
76KB

MD5
76f59bb993494725515ee4d3de077d85

SHA1
6ef5e44bb8d325aa096422506f342ffbd501dd1c

SHA256
fd1bb5169c4cf94b67960075fe8a70e3b4db313c1b459d4e9820bfa2495001a7

SHA512
1c6aa319e2a824146a5e7b5d0da1a6bf18dd7dd6f4f5671e6558336b46cc11a78df3fe7be267e5b80a3e6e213d44861dedc0517f273520855486f0ec09f5cfb8

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\uxdp.exe
Filesize
76KB

MD5
9b7da2eb601ae3fd27d9590453368490

SHA1
388ff237ac0051c5d311d4e16af0b3d0b06d3677

SHA256
781e7a0b19b05009f966183784f9bf7b8f070e3d0bb9a4e9b2045c5cbc0a0105

SHA512
5c1b562721faa1a6118bd55b3fdb2c7c85982155e8f9b2d0b3ae0c3bdd13f28c7c736217616c8b5f6ff69541b1f71ac17cce0c6e15dc04617390eb56e55a6d49

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
Filesize
76KB

MD5
91c9147118eb3728e55e48d241e3cdfc

SHA1
960d599ee2ea7ffcbe1dfde30778e26dae2fa0d9

SHA256
1c2cb2e0b345ddfc4fb1aa7c40898ce120ce7ab153da38f356065b77563651a9

SHA512
5eac717f666b4b973a13a296dd572c67a8176667084ad594ee19050ef1b3b1a3de4544160b935b5f28e88deaf1f0a698d7b1af43dc9473423b508797cc8c3cfb

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
Filesize
76KB

MD5
9b7da2eb601ae3fd27d9590453368490

SHA1
388ff237ac0051c5d311d4e16af0b3d0b06d3677

SHA256
781e7a0b19b05009f966183784f9bf7b8f070e3d0bb9a4e9b2045c5cbc0a0105

SHA512
5c1b562721faa1a6118bd55b3fdb2c7c85982155e8f9b2d0b3ae0c3bdd13f28c7c736217616c8b5f6ff69541b1f71ac17cce0c6e15dc04617390eb56e55a6d49

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/408-214-0x0000000000000000-mapping.dmp

Download
memory/408-266-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/436-152-0x0000000000000000-mapping.dmp

Download
memory/712-217-0x0000000000000000-mapping.dmp

Download
memory/756-308-0x0000000000000000-mapping.dmp

Download
memory/760-193-0x0000000000000000-mapping.dmp

Download
memory/988-262-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/988-227-0x0000000000000000-mapping.dmp

Download
memory/988-288-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-189-0x0000000000000000-mapping.dmp

Download
memory/1484-267-0x0000000000000000-mapping.dmp

Download
memory/1500-275-0x0000000000000000-mapping.dmp

Download
memory/1792-299-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1792-212-0x0000000000000000-mapping.dmp

Download
memory/2932-303-0x0000000000000000-mapping.dmp

Download
memory/3156-289-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3156-263-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3156-249-0x0000000000000000-mapping.dmp

Download
memory/3156-301-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3164-141-0x0000000000000000-mapping.dmp

Download
memory/3292-317-0x0000000000000000-mapping.dmp

Download
memory/3316-292-0x0000000000000000-mapping.dmp

Download
memory/3404-143-0x0000000000000000-mapping.dmp

Download
memory/3552-183-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-169-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-163-0x0000000000000000-mapping.dmp

Download
memory/3576-265-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3576-302-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3576-247-0x0000000000000000-mapping.dmp

Download
memory/3740-274-0x0000000000000000-mapping.dmp

Download
memory/3796-226-0x0000000000000000-mapping.dmp

Download
memory/3992-194-0x0000000000000000-mapping.dmp

Download
memory/4000-294-0x0000000000000000-mapping.dmp

Download
memory/4016-290-0x0000000000000000-mapping.dmp

Download
memory/4032-291-0x0000000000000000-mapping.dmp

Download
memory/4588-164-0x0000000000000000-mapping.dmp

Download
memory/4588-184-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4624-297-0x0000000000000000-mapping.dmp

Download
memory/4700-170-0x0000000000000000-mapping.dmp

Download
memory/4816-286-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4816-281-0x0000000000000000-mapping.dmp

Download
memory/4856-280-0x0000000000000000-mapping.dmp

Download
memory/4856-287-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4864-222-0x0000000000000000-mapping.dmp

Download
memory/4872-270-0x0000000000000000-mapping.dmp

Download
memory/4872-273-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4884-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4884-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4884-134-0x0000000000000000-mapping.dmp

Download
memory/4928-319-0x0000000000000000-mapping.dmp

Download
memory/4944-192-0x0000000000000000-mapping.dmp

Download
memory/4964-218-0x0000000000000000-mapping.dmp

Download
memory/5064-296-0x0000000000000000-mapping.dmp

Download
memory/5064-306-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download