14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9

Analysis

max time kernel
150s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Size

205KB
MD5

a55d93a6f3655bce92c2ce0c4e22a7f6
SHA1

c012c7bcf19309693e8b96dda907dcf9013ea6d8
SHA256

14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9
SHA512

07a969d82b4945d86a16a2a73c82b1fd9aa582a44f4a876eba0a4a3b80a6da7ba19ee8e2396a17a3294af97fe99c548c90fb44e3b08f6cca2cfd47157fe696f5
SSDEEP

3072:cqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:cqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

winlogon.exe 14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.exe smss.exe lsass.exe services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

lsass.exe services.exe csrss.exescwt.exewinlogon.exe 14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.exe smss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.exe smss.exe lsass.exe services.exe csrss.exescwt.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	scwt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

csrss.exescwt.exewinlogon.exe 14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.exe smss.exe lsass.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	scwt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winlogon.exe 14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.exe smss.exe lsass.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

winlogon.exe 14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.exe smss.exe lsass.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.execsrss.exe csrss.execsrss.exe scwt.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~

pid	process
1392	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
844	csrss.exe
1516	csrss.exe
972	csrss.exe
364	csrss.exe
1488	scwt.exe
1916	smss.exe
1960	smss.exe
1056	csrss.exe
1808	csrss.exe
1728	smss.exe
1612	smss.exe
1860	lsass.exe
1132	lsass.exe
1592	csrss.exe
1632	csrss.exe
548	smss.exe
1792	smss.exe
1108	lsass.exe
944	lsass.exe
2036	services.exe
468	services.exe
644	csrss.exe
364	csrss.exe
288	smss.exe
1072	smss.exe
1396	lsass.exe
1532	lsass.exe
920	services.exe
1200	services.exe
296	winlogon.exe
564	winlogon.exe
1812	csrss.exe
1992	csrss.exe
1884	smss.exe
992	smss.exe
840	lsass.exe
736	lsass.exe
512	services.exe
1844	services.exe
1524	winlogon.exe
1632	winlogon.exe
1140	~Paraysutki_VM_Community~
2040	smss.exe
1928	smss.exe
1340	lsass.exe
1788	lsass.exe
528	services.exe
904	services.exe
1464	winlogon.exe
1344	winlogon.exe
972	~Paraysutki_VM_Community~
1988	lsass.exe
1964	lsass.exe
1628	services.exe
1952	services.exe
1040	winlogon.exe
1984	winlogon.exe
1612	~Paraysutki_VM_Community~
1652	services.exe
1980	services.exe
1120	winlogon.exe
1844	winlogon.exe
1768	~Paraysutki_VM_Community~

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

csrss.exe lsass.exe winlogon.exe 14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe services.exe smss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	smss.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
1476	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
1476	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
1392	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
1392	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
1516	csrss.exe
1516	csrss.exe
1516	csrss.exe
972	csrss.exe
972	csrss.exe
364	csrss.exe
972	csrss.exe
972	csrss.exe
1516	csrss.exe
1516	csrss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1960	smss.exe
1960	smss.exe
1960	smss.exe
1056	csrss.exe
1056	csrss.exe
1808	csrss.exe
1960	smss.exe
1960	smss.exe
1728	smss.exe
1728	smss.exe
1612	smss.exe
1960	smss.exe
1960	smss.exe
1860	lsass.exe
1860	lsass.exe
1860	lsass.exe
1132	lsass.exe
1132	lsass.exe
1132	lsass.exe
1592	csrss.exe
1592	csrss.exe
1632	csrss.exe
1132	lsass.exe
1132	lsass.exe
548	smss.exe
548	smss.exe
1792	smss.exe
1132	lsass.exe
1132	lsass.exe
1108	lsass.exe
1108	lsass.exe
944	lsass.exe
1132	lsass.exe
1132	lsass.exe
2036	services.exe
2036	services.exe
2036	services.exe
468	services.exe
468	services.exe
468	services.exe
644	csrss.exe
644	csrss.exe
364	csrss.exe
468	services.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

smss.exe services.exe winlogon.exe 14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.exe lsass.exe scwt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

services.exe winlogon.exe 14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.exe smss.exe lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

scwt.exe

description	ioc	process
File opened (read-only)	\??\S:	scwt.exe
File opened (read-only)	\??\U:	scwt.exe
File opened (read-only)	\??\W:	scwt.exe
File opened (read-only)	\??\L:	scwt.exe
File opened (read-only)	\??\N:	scwt.exe
File opened (read-only)	\??\O:	scwt.exe
File opened (read-only)	\??\P:	scwt.exe
File opened (read-only)	\??\X:	scwt.exe
File opened (read-only)	\??\Z:	scwt.exe
File opened (read-only)	\??\B:	scwt.exe
File opened (read-only)	\??\H:	scwt.exe
File opened (read-only)	\??\M:	scwt.exe
File opened (read-only)	\??\R:	scwt.exe
File opened (read-only)	\??\V:	scwt.exe
File opened (read-only)	\??\Y:	scwt.exe
File opened (read-only)	\??\G:	scwt.exe
File opened (read-only)	\??\I:	scwt.exe
File opened (read-only)	\??\J:	scwt.exe
File opened (read-only)	\??\K:	scwt.exe
File opened (read-only)	\??\E:	scwt.exe
File opened (read-only)	\??\F:	scwt.exe
File opened (read-only)	\??\Q:	scwt.exe
File opened (read-only)	\??\T:	scwt.exe

Drops file in System32 directory 64 IoCs

Processes:

14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe smss.exe lsass.exe services.exe winlogon.exe csrss.exewinlogon.execsrss.exe scwt.exelsass.exewinlogon.exeservices.exe~Paraysutki_VM_Community~services.exe~Paraysutki_VM_Community~csrss.exesmss.exelsass.execsrss.exeservices.exewinlogon.execsrss.exesmss.exeservices.exe~Paraysutki_VM_Community~services.exewinlogon.exe~Paraysutki_VM_Community~

description	ioc	process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	scwt.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe

Drops file in Program Files directory 34 IoCs

Processes:

scwt.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	scwt.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	scwt.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	scwt.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	scwt.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	scwt.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

csrss.exe lsass.exe winlogon.exe 14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe smss.exe services.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe

Modifies registry class 48 IoCs

Processes:

scwt.execsrss.exe csrss.exe14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe services.exe lsass.exe smss.exe winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
1484	ping.exe
1396	ping.exe
1964	ping.exe
1808	ping.exe
1660	ping.exe
2440	ping.exe
2432	ping.exe
2004	ping.exe
852	ping.exe
1176	ping.exe
816	ping.exe
1336	ping.exe
1836	ping.exe
660	ping.exe
1812	ping.exe
1192	ping.exe
1916	ping.exe
2424	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exe

pid	process
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
844	csrss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe
1916	smss.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe csrss.execsrss.exe csrss.execsrss.exe scwt.exesmss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~services.exeservices.exe winlogon.exewinlogon.exe

pid	process
1476	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
1392	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
844	csrss.exe
1516	csrss.exe
972	csrss.exe
364	csrss.exe
1488	scwt.exe
1916	smss.exe
1960	smss.exe
1056	csrss.exe
1808	csrss.exe
1728	smss.exe
1612	smss.exe
1860	lsass.exe
1132	lsass.exe
1592	csrss.exe
1632	csrss.exe
548	smss.exe
1792	smss.exe
1108	lsass.exe
944	lsass.exe
2036	services.exe
468	services.exe
644	csrss.exe
364	csrss.exe
288	smss.exe
1072	smss.exe
1396	lsass.exe
1532	lsass.exe
920	services.exe
1200	services.exe
296	winlogon.exe
564	winlogon.exe
1812	csrss.exe
1992	csrss.exe
1884	smss.exe
992	smss.exe
840	lsass.exe
736	lsass.exe
512	services.exe
1844	services.exe
1524	winlogon.exe
1632	winlogon.exe
1140	~Paraysutki_VM_Community~
2040	smss.exe
1928	smss.exe
1340	lsass.exe
1788	lsass.exe
528	services.exe
904	services.exe
1464	winlogon.exe
1344	winlogon.exe
972	~Paraysutki_VM_Community~
1988	lsass.exe
1964	lsass.exe
1628	services.exe
1952	services.exe
1040	winlogon.exe
1984	winlogon.exe
1612	~Paraysutki_VM_Community~
1652	services.exe
1980	services.exe
1120	winlogon.exe
1844	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1476 wrote to memory of 1392	1476	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
PID 1476 wrote to memory of 1392	1476	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
PID 1476 wrote to memory of 1392	1476	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
PID 1476 wrote to memory of 1392	1476	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
PID 1392 wrote to memory of 844	1392	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe	csrss.exe
PID 1392 wrote to memory of 844	1392	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe	csrss.exe
PID 1392 wrote to memory of 844	1392	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe	csrss.exe
PID 1392 wrote to memory of 844	1392	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe	csrss.exe
PID 844 wrote to memory of 1516	844	csrss.exe	csrss.exe
PID 844 wrote to memory of 1516	844	csrss.exe	csrss.exe
PID 844 wrote to memory of 1516	844	csrss.exe	csrss.exe
PID 844 wrote to memory of 1516	844	csrss.exe	csrss.exe
PID 1516 wrote to memory of 972	1516	csrss.exe	csrss.exe
PID 1516 wrote to memory of 972	1516	csrss.exe	csrss.exe
PID 1516 wrote to memory of 972	1516	csrss.exe	csrss.exe
PID 1516 wrote to memory of 972	1516	csrss.exe	csrss.exe
PID 972 wrote to memory of 364	972	csrss.exe	csrss.exe
PID 972 wrote to memory of 364	972	csrss.exe	csrss.exe
PID 972 wrote to memory of 364	972	csrss.exe	csrss.exe
PID 972 wrote to memory of 364	972	csrss.exe	csrss.exe
PID 972 wrote to memory of 1488	972	csrss.exe	scwt.exe
PID 972 wrote to memory of 1488	972	csrss.exe	scwt.exe
PID 972 wrote to memory of 1488	972	csrss.exe	scwt.exe
PID 972 wrote to memory of 1488	972	csrss.exe	scwt.exe
PID 1516 wrote to memory of 1916	1516	csrss.exe	smss.exe
PID 1516 wrote to memory of 1916	1516	csrss.exe	smss.exe
PID 1516 wrote to memory of 1916	1516	csrss.exe	smss.exe
PID 1516 wrote to memory of 1916	1516	csrss.exe	smss.exe
PID 1916 wrote to memory of 1960	1916	smss.exe	smss.exe
PID 1916 wrote to memory of 1960	1916	smss.exe	smss.exe
PID 1916 wrote to memory of 1960	1916	smss.exe	smss.exe
PID 1916 wrote to memory of 1960	1916	smss.exe	smss.exe
PID 1960 wrote to memory of 1056	1960	smss.exe	csrss.exe
PID 1960 wrote to memory of 1056	1960	smss.exe	csrss.exe
PID 1960 wrote to memory of 1056	1960	smss.exe	csrss.exe
PID 1960 wrote to memory of 1056	1960	smss.exe	csrss.exe
PID 1056 wrote to memory of 1808	1056	csrss.exe	csrss.exe
PID 1056 wrote to memory of 1808	1056	csrss.exe	csrss.exe
PID 1056 wrote to memory of 1808	1056	csrss.exe	csrss.exe
PID 1056 wrote to memory of 1808	1056	csrss.exe	csrss.exe
PID 1960 wrote to memory of 1728	1960	smss.exe	smss.exe
PID 1960 wrote to memory of 1728	1960	smss.exe	smss.exe
PID 1960 wrote to memory of 1728	1960	smss.exe	smss.exe
PID 1960 wrote to memory of 1728	1960	smss.exe	smss.exe
PID 1728 wrote to memory of 1612	1728	smss.exe	smss.exe
PID 1728 wrote to memory of 1612	1728	smss.exe	smss.exe
PID 1728 wrote to memory of 1612	1728	smss.exe	smss.exe
PID 1728 wrote to memory of 1612	1728	smss.exe	smss.exe
PID 1960 wrote to memory of 1860	1960	smss.exe	lsass.exe
PID 1960 wrote to memory of 1860	1960	smss.exe	lsass.exe
PID 1960 wrote to memory of 1860	1960	smss.exe	lsass.exe
PID 1960 wrote to memory of 1860	1960	smss.exe	lsass.exe
PID 1860 wrote to memory of 1132	1860	lsass.exe	lsass.exe
PID 1860 wrote to memory of 1132	1860	lsass.exe	lsass.exe
PID 1860 wrote to memory of 1132	1860	lsass.exe	lsass.exe
PID 1860 wrote to memory of 1132	1860	lsass.exe	lsass.exe
PID 1132 wrote to memory of 1592	1132	lsass.exe	csrss.exe
PID 1132 wrote to memory of 1592	1132	lsass.exe	csrss.exe
PID 1132 wrote to memory of 1592	1132	lsass.exe	csrss.exe
PID 1132 wrote to memory of 1592	1132	lsass.exe	csrss.exe
PID 1592 wrote to memory of 1632	1592	csrss.exe	csrss.exe
PID 1592 wrote to memory of 1632	1592	csrss.exe	csrss.exe
PID 1592 wrote to memory of 1632	1592	csrss.exe	csrss.exe
PID 1592 wrote to memory of 1632	1592	csrss.exe	csrss.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe services.exe smss.exe lsass.exe winlogon.exe csrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

C:\Users\Admin\AppData\Local\Temp\14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
"C:\Users\Admin\AppData\Local\Temp\14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
C:\Users\Admin\AppData\Local\Temp\14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1392

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:364

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scwt.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\scwt.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1960

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1132

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:548

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1792

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:468

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:644

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:288

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:296

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:564

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1884

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:840

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:736

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:512

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
13⤵
PID:1496

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:2004

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
13⤵
- Runs ping.exe
PID:1176

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:1192

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
13⤵
PID:1700

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
13⤵
PID:2140

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
13⤵
PID:2152

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
13⤵
PID:2304

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
13⤵
PID:2388

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
13⤵
PID:2400

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
11⤵
- Drops file in System32 directory
PID:760

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
11⤵
PID:2192

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
11⤵
PID:2448

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
11⤵
- Runs ping.exe
PID:2440

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:2432

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:2424

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
11⤵
PID:2508

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
11⤵
PID:2536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
11⤵
PID:2568

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
11⤵
PID:2580

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
11⤵
PID:2620

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
9⤵
PID:1472

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
10⤵
PID:1928

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
9⤵
- Drops file in System32 directory
PID:1816

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
PID:1084

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:852

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
9⤵
- Runs ping.exe
PID:1964

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
9⤵
PID:732

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
9⤵
PID:2200

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
9⤵
PID:2244

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
9⤵
PID:2232

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
9⤵
PID:2340

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
9⤵
PID:2468

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
PID:1596

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1484

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1660

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:1812

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:840

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:580

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:1472

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:1532

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:1120

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:1564

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
PID:1728

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1396

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1836

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:1548

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:1916

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:844

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:1056

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:1480

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:2120

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:2280

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:904

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
PID:896

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:1336

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:1808

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
3⤵
- Runs ping.exe
PID:816

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
3⤵
PID:736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
3⤵
PID:2164

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
3⤵
PID:2224

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
3⤵
PID:2332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
3⤵
PID:2412

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
3⤵
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\scwt.exe
Filesize
76KB

MD5
9bb971deda6f4852d4f41b73cabf86d7

SHA1
b1fbf99f8284fe4ce90d43ebb1d81fa034cfb2cf

SHA256
8f4291a69140be5129f6382d7344033187606c9a2af20e5eeebe54ea38252a88

SHA512
7a0b0c8e4c1342d9ebe365433a96ee5413eac74902c7d4ca3e576c98518196438444a77fdd59ab7ad380206b24a8609362d61c4325efe259305adbf40485a8e6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scwt.exe
Filesize
76KB

MD5
9bb971deda6f4852d4f41b73cabf86d7

SHA1
b1fbf99f8284fe4ce90d43ebb1d81fa034cfb2cf

SHA256
8f4291a69140be5129f6382d7344033187606c9a2af20e5eeebe54ea38252a88

SHA512
7a0b0c8e4c1342d9ebe365433a96ee5413eac74902c7d4ca3e576c98518196438444a77fdd59ab7ad380206b24a8609362d61c4325efe259305adbf40485a8e6

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
Filesize
76KB

MD5
6619c3dd0bef13199bde2381c79c2235

SHA1
8d9c34b1c059ad3460a07deab3e7be7df7aa5f88

SHA256
2f085d65571cdd337edad5d78628be80dd616f48fc27f532181015e9f91f7578

SHA512
97f1be09fa81fdbb5c9ee5b4fd2ac8710815fd559cafd029e589632d7d8008601f1e413052741944ac59c8d74d97cf03a6af931bcc3cb2decaed52ebfee692dc

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\14d8559b94251c72bb4309432b43d8b8b5fdf2a78c58731ba008daccfc9a9cf9.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\scwt.exe
Filesize
76KB

MD5
9bb971deda6f4852d4f41b73cabf86d7

SHA1
b1fbf99f8284fe4ce90d43ebb1d81fa034cfb2cf

SHA256
8f4291a69140be5129f6382d7344033187606c9a2af20e5eeebe54ea38252a88

SHA512
7a0b0c8e4c1342d9ebe365433a96ee5413eac74902c7d4ca3e576c98518196438444a77fdd59ab7ad380206b24a8609362d61c4325efe259305adbf40485a8e6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\scwt.exe
Filesize
76KB

MD5
9bb971deda6f4852d4f41b73cabf86d7

SHA1
b1fbf99f8284fe4ce90d43ebb1d81fa034cfb2cf

SHA256
8f4291a69140be5129f6382d7344033187606c9a2af20e5eeebe54ea38252a88

SHA512
7a0b0c8e4c1342d9ebe365433a96ee5413eac74902c7d4ca3e576c98518196438444a77fdd59ab7ad380206b24a8609362d61c4325efe259305adbf40485a8e6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
f9eb67760b1142c35021575e6d2ccb6b

SHA1
6685035ebb767c1b7cc9093d193deb0ee04743af

SHA256
87eb03c2821097a0ff4570a5774a9dd44b76fb8ebccdda9527188ca45c14f9d7

SHA512
343e7b3b17b08c17df75e76bed5b102dd8d1b4c760b34f1936a0bc19091b99cb7dc0d0f06cb5c8a29fe5baae1b9741e193100347aa2666fb1e4a61a1f1c73a9b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/288-212-0x0000000000000000-mapping.dmp

Download
memory/296-233-0x0000000000000000-mapping.dmp

Download
memory/296-245-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/296-246-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/364-211-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/364-210-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/364-97-0x0000000000000000-mapping.dmp

Download
memory/364-205-0x0000000000000000-mapping.dmp

Download
memory/364-102-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/468-199-0x0000000000000000-mapping.dmp

Download
memory/468-209-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/512-263-0x0000000000000000-mapping.dmp

Download
memory/528-297-0x0000000000000000-mapping.dmp

Download
memory/548-182-0x0000000000000000-mapping.dmp

Download
memory/564-280-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/564-247-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/564-236-0x0000000000000000-mapping.dmp

Download
memory/564-409-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/644-202-0x0000000000000000-mapping.dmp

Download
memory/736-259-0x0000000000000000-mapping.dmp

Download
memory/736-262-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/840-256-0x0000000000000000-mapping.dmp

Download
memory/844-112-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/844-67-0x0000000000000000-mapping.dmp

Download
memory/844-113-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/896-316-0x0000000000000000-mapping.dmp

Download
memory/904-303-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/904-300-0x0000000000000000-mapping.dmp

Download
memory/920-226-0x0000000000000000-mapping.dmp

Download
memory/944-195-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/944-192-0x0000000000000000-mapping.dmp

Download
memory/972-89-0x0000000000000000-mapping.dmp

Download
memory/972-312-0x0000000000000000-mapping.dmp

Download
memory/992-252-0x0000000000000000-mapping.dmp

Download
memory/992-255-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1040-331-0x0000000000000000-mapping.dmp

Download
memory/1056-132-0x0000000000000000-mapping.dmp

Download
memory/1072-215-0x0000000000000000-mapping.dmp

Download
memory/1072-218-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1108-189-0x0000000000000000-mapping.dmp

Download
memory/1132-175-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1132-408-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1132-384-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1132-169-0x0000000000000000-mapping.dmp

Download
memory/1140-277-0x0000000000000000-mapping.dmp

Download
memory/1200-232-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1200-229-0x0000000000000000-mapping.dmp

Download
memory/1340-289-0x0000000000000000-mapping.dmp

Download
memory/1344-310-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1344-307-0x0000000000000000-mapping.dmp

Download
memory/1392-375-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1392-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1392-415-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1392-58-0x0000000000000000-mapping.dmp

Download
memory/1396-219-0x0000000000000000-mapping.dmp

Download
memory/1464-304-0x0000000000000000-mapping.dmp

Download
memory/1464-311-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/1476-62-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1476-63-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1488-105-0x0000000000000000-mapping.dmp

Download
memory/1496-281-0x0000000000000000-mapping.dmp

Download
memory/1516-411-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1516-77-0x0000000000000000-mapping.dmp

Download
memory/1516-114-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1524-270-0x0000000000000000-mapping.dmp

Download
memory/1532-222-0x0000000000000000-mapping.dmp

Download
memory/1532-225-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1592-176-0x0000000000000000-mapping.dmp

Download
memory/1612-155-0x0000000000000000-mapping.dmp

Download
memory/1612-160-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1612-338-0x0000000000000000-mapping.dmp

Download
memory/1628-325-0x0000000000000000-mapping.dmp

Download
memory/1632-273-0x0000000000000000-mapping.dmp

Download
memory/1632-179-0x0000000000000000-mapping.dmp

Download
memory/1632-276-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1652-344-0x0000000000000000-mapping.dmp

Download
memory/1728-161-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1728-147-0x0000000000000000-mapping.dmp

Download
memory/1728-342-0x0000000000000000-mapping.dmp

Download
memory/1788-293-0x0000000000000000-mapping.dmp

Download
memory/1788-296-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1792-185-0x0000000000000000-mapping.dmp

Download
memory/1792-188-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1808-139-0x0000000000000000-mapping.dmp

Download
memory/1808-144-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-239-0x0000000000000000-mapping.dmp

Download
memory/1844-355-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1844-266-0x0000000000000000-mapping.dmp

Download
memory/1844-269-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1860-164-0x0000000000000000-mapping.dmp

Download
memory/1884-249-0x0000000000000000-mapping.dmp

Download
memory/1916-117-0x0000000000000000-mapping.dmp

Download
memory/1916-172-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/1916-173-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/1928-364-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1928-285-0x0000000000000000-mapping.dmp

Download
memory/1928-288-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1952-328-0x0000000000000000-mapping.dmp

Download
memory/1960-386-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1960-125-0x0000000000000000-mapping.dmp

Download
memory/1960-174-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1964-321-0x0000000000000000-mapping.dmp

Download
memory/1964-324-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1980-347-0x0000000000000000-mapping.dmp

Download
memory/1980-350-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1984-334-0x0000000000000000-mapping.dmp

Download
memory/1984-337-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1988-318-0x0000000000000000-mapping.dmp

Download
memory/1992-242-0x0000000000000000-mapping.dmp

Download
memory/1992-248-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2036-208-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/2036-196-0x0000000000000000-mapping.dmp

Download
memory/2040-282-0x0000000000000000-mapping.dmp

Download