876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8

Analysis

max time kernel
145s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Size

205KB
MD5

92ead6ec5492c5b8a091b0559285cf78
SHA1

80e8078054add11e613ff67a0fb2fd0fa41c8f07
SHA256

876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8
SHA512

50ad346458596bdc81185d886502c199f5a47068bd9fb7dfa67119d7308d4aaaaa393ca1e1a397d8cdc497f26f65d68692e0b43019ad2b7f28c00f8884d708b2
SSDEEP

3072:FqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:FqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avcw.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe

UAC bypass 3 TTPs 8 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Disables RegEdit via registry modification 8 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
1576	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
1224	csrss.exe
1692	csrss.exe
108	csrss.exe
1060	csrss.exe
1612	avcw.exe
1660	smss.exe
836	smss.exe
1404	csrss.exe
556	csrss.exe
316	smss.exe
1364	smss.exe
1004	lsass.exe
948	lsass.exe
1804	csrss.exe
552	csrss.exe
1716	smss.exe
1932	smss.exe
1820	lsass.exe
748	lsass.exe
1492	services.exe
1480	services.exe
824	csrss.exe
2024	csrss.exe
1600	smss.exe
1588	smss.exe
1516	lsass.exe
1036	lsass.exe
1272	services.exe
1092	services.exe
1604	winlogon.exe
556	winlogon.exe
1376	csrss.exe
852	csrss.exe
924	smss.exe
1864	smss.exe
296	lsass.exe
1020	lsass.exe
1552	services.exe
1540	services.exe
1952	winlogon.exe
1584	winlogon.exe
1716	~Paraysutki_VM_Community~
692	~Paraysutki_VM_Community~
852	winlogon.exe
1852	winlogon.exe
952	~Paraysutki_VM_Community~
1968	services.exe
1360	services.exe
576	services.exe
956	services.exe
1140	lsass.exe
604	lsass.exe
2028	~Paraysutki_VM_Community~
1524	ping.exe
1248	smss.exe
1752	smss.exe
852	lsass.exe
1680	lsass.exe
1316	lsass.exe
824	lsass.exe
960	smss.exe
1664	services.exe
956	services.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	winlogon.exe

Loads dropped DLL 64 IoCs

pid	Process
1672	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
1672	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
1576	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
1576	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
1224	csrss.exe
1224	csrss.exe
1224	csrss.exe
1692	csrss.exe
1692	csrss.exe
1692	csrss.exe
108	csrss.exe
108	csrss.exe
1060	csrss.exe
108	csrss.exe
108	csrss.exe
1692	csrss.exe
1692	csrss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
1404	csrss.exe
1404	csrss.exe
556	csrss.exe
836	smss.exe
836	smss.exe
316	smss.exe
316	smss.exe
1364	smss.exe
836	smss.exe
836	smss.exe
1004	lsass.exe
1004	lsass.exe
1004	lsass.exe
948	lsass.exe
948	lsass.exe
948	lsass.exe
1804	csrss.exe
1804	csrss.exe
552	csrss.exe
948	lsass.exe
948	lsass.exe
1716	smss.exe
1716	smss.exe
1932	smss.exe
948	lsass.exe
948	lsass.exe
1820	lsass.exe
1820	lsass.exe
748	lsass.exe
948	lsass.exe
948	lsass.exe
1492	services.exe
1492	services.exe
1492	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
824	csrss.exe
824	csrss.exe
2024	csrss.exe
1480	services.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	avcw.exe
File opened (read-only)	\??\J:	avcw.exe
File opened (read-only)	\??\P:	avcw.exe
File opened (read-only)	\??\Q:	avcw.exe
File opened (read-only)	\??\Y:	avcw.exe
File opened (read-only)	\??\H:	avcw.exe
File opened (read-only)	\??\L:	avcw.exe
File opened (read-only)	\??\T:	avcw.exe
File opened (read-only)	\??\B:	avcw.exe
File opened (read-only)	\??\M:	avcw.exe
File opened (read-only)	\??\N:	avcw.exe
File opened (read-only)	\??\R:	avcw.exe
File opened (read-only)	\??\V:	avcw.exe
File opened (read-only)	\??\W:	avcw.exe
File opened (read-only)	\??\X:	avcw.exe
File opened (read-only)	\??\Z:	avcw.exe
File opened (read-only)	\??\E:	avcw.exe
File opened (read-only)	\??\F:	avcw.exe
File opened (read-only)	\??\I:	avcw.exe
File opened (read-only)	\??\K:	avcw.exe
File opened (read-only)	\??\O:	avcw.exe
File opened (read-only)	\??\S:	avcw.exe
File opened (read-only)	\??\U:	avcw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	avcw.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	avcw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	avcw.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	avcw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	avcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	avcw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	avcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	avcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	avcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	avcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	avcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	avcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	avcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	avcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	avcw.exe

Runs ping.exe 1 TTPs 24 IoCs

Remote System Discovery

T1018

pid	Process
1304	ping.exe
1376	ping.exe
692	ping.exe
2640	ping.exe
2904	ping.exe
2252	ping.exe
452	ping.exe
1592	ping.exe
2512	ping.exe
2432	ping.exe
2412	ping.exe
1252	ping.exe
1364	ping.exe
2648	ping.exe
2896	ping.exe
1524	ping.exe
2656	ping.exe
924	ping.exe
948	ping.exe
2528	ping.exe
2520	ping.exe
2912	ping.exe
992	ping.exe
584	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1604	winlogon.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe
1492	services.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1400	rundll32.exe
1964	rundll32.exe
1860	rundll32.exe
1972	rundll32.exe
3004	rundll32.exe
2360	rundll32.exe
2748	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1672	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
1576	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
1224	csrss.exe
1692	csrss.exe
108	csrss.exe
1060	csrss.exe
1612	avcw.exe
1660	smss.exe
836	smss.exe
1404	csrss.exe
556	csrss.exe
316	smss.exe
1364	smss.exe
1004	lsass.exe
948	lsass.exe
1804	csrss.exe
552	csrss.exe
1716	smss.exe
1932	smss.exe
1820	lsass.exe
748	lsass.exe
1492	services.exe
1480	services.exe
824	csrss.exe
2024	csrss.exe
1600	smss.exe
1588	smss.exe
1516	lsass.exe
1036	lsass.exe
1272	services.exe
1092	services.exe
1604	winlogon.exe
556	winlogon.exe
1376	csrss.exe
852	csrss.exe
924	smss.exe
1864	smss.exe
296	lsass.exe
1020	lsass.exe
1552	services.exe
1540	services.exe
1952	winlogon.exe
1584	winlogon.exe
1716	~Paraysutki_VM_Community~
692	~Paraysutki_VM_Community~
852	winlogon.exe
1852	winlogon.exe
952	~Paraysutki_VM_Community~
1968	services.exe
1360	services.exe
576	services.exe
956	services.exe
1140	lsass.exe
604	lsass.exe
2028	~Paraysutki_VM_Community~
1524	ping.exe
1248	smss.exe
1752	smss.exe
852	lsass.exe
1316	lsass.exe
1680	lsass.exe
824	lsass.exe
960	smss.exe
1664	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1576	1672	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe	27
PID 1672 wrote to memory of 1576	1672	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe	27
PID 1672 wrote to memory of 1576	1672	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe	27
PID 1672 wrote to memory of 1576	1672	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe	27
PID 1576 wrote to memory of 1224	1576	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe	28
PID 1576 wrote to memory of 1224	1576	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe	28
PID 1576 wrote to memory of 1224	1576	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe	28
PID 1576 wrote to memory of 1224	1576	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe	28
PID 1224 wrote to memory of 1692	1224	csrss.exe	29
PID 1224 wrote to memory of 1692	1224	csrss.exe	29
PID 1224 wrote to memory of 1692	1224	csrss.exe	29
PID 1224 wrote to memory of 1692	1224	csrss.exe	29
PID 1692 wrote to memory of 108	1692	csrss.exe	30
PID 1692 wrote to memory of 108	1692	csrss.exe	30
PID 1692 wrote to memory of 108	1692	csrss.exe	30
PID 1692 wrote to memory of 108	1692	csrss.exe	30
PID 108 wrote to memory of 1060	108	csrss.exe	31
PID 108 wrote to memory of 1060	108	csrss.exe	31
PID 108 wrote to memory of 1060	108	csrss.exe	31
PID 108 wrote to memory of 1060	108	csrss.exe	31
PID 108 wrote to memory of 1612	108	csrss.exe	32
PID 108 wrote to memory of 1612	108	csrss.exe	32
PID 108 wrote to memory of 1612	108	csrss.exe	32
PID 108 wrote to memory of 1612	108	csrss.exe	32
PID 1692 wrote to memory of 1660	1692	csrss.exe	33
PID 1692 wrote to memory of 1660	1692	csrss.exe	33
PID 1692 wrote to memory of 1660	1692	csrss.exe	33
PID 1692 wrote to memory of 1660	1692	csrss.exe	33
PID 1660 wrote to memory of 836	1660	smss.exe	34
PID 1660 wrote to memory of 836	1660	smss.exe	34
PID 1660 wrote to memory of 836	1660	smss.exe	34
PID 1660 wrote to memory of 836	1660	smss.exe	34
PID 836 wrote to memory of 1404	836	smss.exe	35
PID 836 wrote to memory of 1404	836	smss.exe	35
PID 836 wrote to memory of 1404	836	smss.exe	35
PID 836 wrote to memory of 1404	836	smss.exe	35
PID 1404 wrote to memory of 556	1404	csrss.exe	36
PID 1404 wrote to memory of 556	1404	csrss.exe	36
PID 1404 wrote to memory of 556	1404	csrss.exe	36
PID 1404 wrote to memory of 556	1404	csrss.exe	36
PID 836 wrote to memory of 316	836	smss.exe	38
PID 836 wrote to memory of 316	836	smss.exe	38
PID 836 wrote to memory of 316	836	smss.exe	38
PID 836 wrote to memory of 316	836	smss.exe	38
PID 316 wrote to memory of 1364	316	smss.exe	37
PID 316 wrote to memory of 1364	316	smss.exe	37
PID 316 wrote to memory of 1364	316	smss.exe	37
PID 316 wrote to memory of 1364	316	smss.exe	37
PID 836 wrote to memory of 1004	836	smss.exe	39
PID 836 wrote to memory of 1004	836	smss.exe	39
PID 836 wrote to memory of 1004	836	smss.exe	39
PID 836 wrote to memory of 1004	836	smss.exe	39
PID 1004 wrote to memory of 948	1004	lsass.exe	40
PID 1004 wrote to memory of 948	1004	lsass.exe	40
PID 1004 wrote to memory of 948	1004	lsass.exe	40
PID 1004 wrote to memory of 948	1004	lsass.exe	40
PID 948 wrote to memory of 1804	948	lsass.exe	41
PID 948 wrote to memory of 1804	948	lsass.exe	41
PID 948 wrote to memory of 1804	948	lsass.exe	41
PID 948 wrote to memory of 1804	948	lsass.exe	41
PID 1804 wrote to memory of 552	1804	csrss.exe	42
PID 1804 wrote to memory of 552	1804	csrss.exe	42
PID 1804 wrote to memory of 552	1804	csrss.exe	42
PID 1804 wrote to memory of 552	1804	csrss.exe	42

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
"C:\Users\Admin\AppData\Local\Temp\876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
  C:\Users\Admin\AppData\Local\Temp\876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1576
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1692
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:108
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1060
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\avcw.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\avcw.exe" csrss
        6⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1612
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:836
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:948
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:556
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:296
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1860
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:992
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:452
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        13⤵
        Runs ping.exe
        
        PID:1592
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        13⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        13⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        13⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        13⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        13⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        13⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1964
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:1304
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:1252
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        11⤵
        Runs ping.exe
        
        PID:1364
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        11⤵
        
        PID:904
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        11⤵
        
        PID:516
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        11⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        11⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        11⤵
        
        PID:824
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        11⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1400
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:584
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:1376
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        9⤵
        
        PID:972
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        9⤵
        Runs ping.exe
        
        PID:924
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        9⤵
        
        PID:956
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        9⤵
        
        PID:656
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        9⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        9⤵
        
        PID:604
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:2512
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:2528
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:2520
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1316
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:956
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:576
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        
        PID:952
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1972
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Executes dropped EXE
        Runs ping.exe
        Suspicious use of SetWindowsHookEx
        
        PID:1524
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:948
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:108
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:692
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:2468
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:2492
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      PID:956
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1140
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:604
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        
        PID:2028
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1248
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        
        PID:960
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        
        PID:1476
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Sets file execution options in registry
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:1772
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        
        PID:108
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3004
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:2432
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:2252
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:2412
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2360
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:2656
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:2648
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:2640
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:2988
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    3⤵
    - Drops file in System32 directory
    PID:2604
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2748
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1210
    3⤵
    - Runs ping.exe
    PID:2912
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2904
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2896
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im tati.exe
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im wscript.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im sys.exe
    3⤵
    PID:2368

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-926095158-11108115771946743151-7453787461457314381475935246-730648565-1776962743"
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\avcw.exe

Filesize
76KB

MD5
d6ba9969d084867ab4de4c32a9239149

SHA1
f048b983519d36bb4896c8f9ca0eee96e6fd20e4

SHA256
9839fb335ad4f65b8321577a3d88f5120d9722cbe5657c1646d730e4002c3418

SHA512
292ca3f51e61c67d5179aa147ee9273b267857cd79415668033c82bf3dab9d0fcd3f872ba17efdb93e5bc48557ee31e3bb4ae8112c4db31abd982472c96d889b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\avcw.exe

Filesize
76KB

MD5
d6ba9969d084867ab4de4c32a9239149

SHA1
f048b983519d36bb4896c8f9ca0eee96e6fd20e4

SHA256
9839fb335ad4f65b8321577a3d88f5120d9722cbe5657c1646d730e4002c3418

SHA512
292ca3f51e61c67d5179aa147ee9273b267857cd79415668033c82bf3dab9d0fcd3f872ba17efdb93e5bc48557ee31e3bb4ae8112c4db31abd982472c96d889b

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\876a55769e9402dbd6cfb80ad597adee87e009b892cfd17556a01499e377d0f8.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\avcw.exe

Filesize
76KB

MD5
d6ba9969d084867ab4de4c32a9239149

SHA1
f048b983519d36bb4896c8f9ca0eee96e6fd20e4

SHA256
9839fb335ad4f65b8321577a3d88f5120d9722cbe5657c1646d730e4002c3418

SHA512
292ca3f51e61c67d5179aa147ee9273b267857cd79415668033c82bf3dab9d0fcd3f872ba17efdb93e5bc48557ee31e3bb4ae8112c4db31abd982472c96d889b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\avcw.exe

Filesize
76KB

MD5
d6ba9969d084867ab4de4c32a9239149

SHA1
f048b983519d36bb4896c8f9ca0eee96e6fd20e4

SHA256
9839fb335ad4f65b8321577a3d88f5120d9722cbe5657c1646d730e4002c3418

SHA512
292ca3f51e61c67d5179aa147ee9273b267857cd79415668033c82bf3dab9d0fcd3f872ba17efdb93e5bc48557ee31e3bb4ae8112c4db31abd982472c96d889b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
e1aa3bab2a0fe24afbcd3a52e346a494

SHA1
c3e7fe85cce60358935796fc87d060c58f502ca2

SHA256
6f877ccc206189b28ba6a55abe6fd64f587303f33056278950905d897f57ad3f

SHA512
238209c08fcd2edd2805072b03d32676a390c5af43fea71ba2709479f5e7e69bc1c11aba9a0e081a0c1e3ee677b4fd0e5a3bd39f89022f9022467cd2057e4c74

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/108-114-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/108-403-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/552-183-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/556-277-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/556-144-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/556-320-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/556-281-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/576-384-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-380-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/604-385-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/748-197-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/824-374-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/836-174-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/852-246-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/944-427-0x0000000001C30000-0x0000000001C5A000-memory.dmp

Filesize
168KB

Download
memory/944-409-0x0000000001C30000-0x0000000001C5A000-memory.dmp

Filesize
168KB

Download
memory/948-177-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/948-341-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/956-348-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/960-410-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1004-176-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1004-175-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1020-260-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1036-224-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1060-99-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1092-233-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1140-425-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/1140-382-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/1224-112-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1360-343-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1364-160-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1480-228-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1480-328-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1484-394-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1492-226-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1524-357-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1540-267-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1576-111-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1584-276-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1588-217-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1604-275-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1604-274-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1660-172-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1660-173-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1664-383-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1672-109-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1672-110-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1680-369-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1692-113-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1692-453-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-362-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1772-411-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1852-318-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1864-253-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1932-190-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-423-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1968-342-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2024-210-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2188-416-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2248-442-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2320-445-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/2348-450-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/2376-437-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2376-460-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2400-461-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download