8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01

Analysis

max time kernel
185s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Size

205KB
MD5

45d6c8a8101d170246c9268938ec27ee
SHA1

caf32d712cb855a5d2febe7d4dc7de9500825c65
SHA256

8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01
SHA512

1362a2051c80443873d6e4a37ecde2c90abab0f96c02044eb183256d1ff0206d8b9c23f079c8416ecc437cb5f42fbebb01fda683cc5d98238cb1e996d6ee65e3
SSDEEP

3072:LqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:LqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

csrss.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe lsass.exe smss.exe winlogon.exe services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe

Modifies system executable filetype association 2 TTPs 12 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

smss.exesmss.exeizha.exe8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe lsass.exe smss.exe services.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exendsv.execsrss.execsrss.exe winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	izha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.execsrss.exesmss.exesmss.execsrss.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe lsass.exe smss.exe winlogon.exe services.exe ndsv.exeizha.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ndsv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	izha.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

services.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exendsv.exesmss.exesmss.execsrss.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe lsass.exe csrss.exeizha.exesmss.exe winlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ndsv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	izha.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winlogon.exe csrss.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe lsass.exe smss.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

csrss.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe lsass.exe smss.exe winlogon.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe csrss.execsrss.exe smss.exendsv.exesmss.exe csrss.execsrss.execsrss.exe csrss.exe smss.exesmss.exe smss.exelsass.exelsass.exeizha.exesmss.exe lsass.exeservices.exedsnv.exeservices.exelsass.exe services.exelsass.exe lsass.exe namw.exeservices.exe services.exe services.exe csrss.execsrss.exe winlogon.exewinlogon.execsrss.execsrss.exe winlogon.exe winlogon.exe smss.exesmss.exe csrss.exesmss.exe~Paraysutki_VM_Community~lsass.exesmss.exe csrss.exe lsass.exe services.exesmss.exelsass.exeservices.exe smss.exe lsass.exe winlogon.exewinlogon.exe lsass.exelsass.exe winlogon.exewinlogon.exe services.exe~Paraysutki_VM_Community~services.exeservices.exe ~Paraysutki_VM_Community~~Paraysutki_VM_Community~

pid	process
4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
3156	csrss.exe
316	csrss.exe
4304	smss.exe
4536	ndsv.exe
3692	smss.exe
3748	csrss.exe
3000	csrss.exe
3896	csrss.exe
4184	csrss.exe
4076	smss.exe
396	smss.exe
1184	smss.exe
1572	lsass.exe
1252	lsass.exe
4016	izha.exe
3400	smss.exe
3220	lsass.exe
4788	services.exe
2192	dsnv.exe
4300	services.exe
4952	lsass.exe
2748	services.exe
1604	lsass.exe
372	lsass.exe
4856	namw.exe
2756	services.exe
3260	services.exe
428	services.exe
1260	csrss.exe
3764	csrss.exe
4060	winlogon.exe
3312	winlogon.exe
4388	csrss.exe
4180	csrss.exe
3476	winlogon.exe
3508	winlogon.exe
5096	smss.exe
4968	smss.exe
4680	csrss.exe
1548	smss.exe
3160	~Paraysutki_VM_Community~
4608	lsass.exe
1508	smss.exe
3316	csrss.exe
4848	lsass.exe
632	services.exe
4280	smss.exe
4012	lsass.exe
800	services.exe
3896	smss.exe
3820	lsass.exe
5036	winlogon.exe
3604	winlogon.exe
932	lsass.exe
1748	lsass.exe
3492	winlogon.exe
4332	winlogon.exe
4008	services.exe
3620	~Paraysutki_VM_Community~
2264	services.exe
3488	services.exe
960	~Paraysutki_VM_Community~
3320	~Paraysutki_VM_Community~

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe smss.exe winlogon.exe services.exe csrss.exe lsass.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	services.exe

Loads dropped DLL 64 IoCs

Processes:

csrss.execsrss.exe smss.exesmss.exe csrss.execsrss.execsrss.exe csrss.exe smss.exesmss.exe smss.exelsass.exelsass.exesmss.exe lsass.exeservices.exelsass.exe services.exelsass.exe services.exelsass.exe services.exe services.exe services.exe csrss.execsrss.exe winlogon.exewinlogon.execsrss.execsrss.exe winlogon.exe smss.exewinlogon.exe smss.exe csrss.exesmss.exelsass.exe~Paraysutki_VM_Community~smss.exe csrss.exe lsass.exe services.exesmss.exelsass.exeservices.exe smss.exe lsass.exe winlogon.exewinlogon.exe lsass.exelsass.exe winlogon.exewinlogon.exe services.exe~Paraysutki_VM_Community~services.exeservices.exe ~Paraysutki_VM_Community~~Paraysutki_VM_Community~services.exe winlogon.exewinlogon.exewinlogon.exe winlogon.exe

pid	process
3156	csrss.exe
316	csrss.exe
4304	smss.exe
3692	smss.exe
3748	csrss.exe
3000	csrss.exe
3896	csrss.exe
4184	csrss.exe
4076	smss.exe
396	smss.exe
1184	smss.exe
1252	lsass.exe
1572	lsass.exe
3400	smss.exe
3220	lsass.exe
2748	services.exe
4952	lsass.exe
4300	services.exe
1604	lsass.exe
4788	services.exe
372	lsass.exe
2756	services.exe
3260	services.exe
428	services.exe
1260	csrss.exe
3764	csrss.exe
4060	winlogon.exe
3312	winlogon.exe
4388	csrss.exe
4180	csrss.exe
3508	winlogon.exe
5096	smss.exe
3476	winlogon.exe
4968	smss.exe
4680	csrss.exe
1548	smss.exe
4608	lsass.exe
3160	~Paraysutki_VM_Community~
1508	smss.exe
3316	csrss.exe
4848	lsass.exe
632	services.exe
4280	smss.exe
4012	lsass.exe
800	services.exe
3896	smss.exe
3820	lsass.exe
5036	winlogon.exe
3604	winlogon.exe
932	lsass.exe
1748	lsass.exe
3492	winlogon.exe
4332	winlogon.exe
4008	services.exe
3620	~Paraysutki_VM_Community~
2264	services.exe
3488	services.exe
960	~Paraysutki_VM_Community~
3320	~Paraysutki_VM_Community~
4456	services.exe
1624	winlogon.exe
4052	winlogon.exe
4316	winlogon.exe
1184	winlogon.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

csrss.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe smss.exe winlogon.exe services.exe smss.exeizha.exelsass.exe csrss.exendsv.exesmss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	izha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	izha.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe lsass.exe smss.exe services.exe winlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ndsv.exeizha.exe

description	ioc	process
File opened (read-only)	\??\H:	ndsv.exe
File opened (read-only)	\??\Z:	ndsv.exe
File opened (read-only)	\??\S:	ndsv.exe
File opened (read-only)	\??\U:	ndsv.exe
File opened (read-only)	\??\F:	izha.exe
File opened (read-only)	\??\T:	izha.exe
File opened (read-only)	\??\P:	ndsv.exe
File opened (read-only)	\??\V:	izha.exe
File opened (read-only)	\??\Y:	izha.exe
File opened (read-only)	\??\O:	ndsv.exe
File opened (read-only)	\??\G:	izha.exe
File opened (read-only)	\??\L:	izha.exe
File opened (read-only)	\??\P:	izha.exe
File opened (read-only)	\??\K:	izha.exe
File opened (read-only)	\??\M:	izha.exe
File opened (read-only)	\??\R:	izha.exe
File opened (read-only)	\??\G:	ndsv.exe
File opened (read-only)	\??\I:	ndsv.exe
File opened (read-only)	\??\E:	izha.exe
File opened (read-only)	\??\I:	izha.exe
File opened (read-only)	\??\J:	izha.exe
File opened (read-only)	\??\V:	ndsv.exe
File opened (read-only)	\??\W:	ndsv.exe
File opened (read-only)	\??\Y:	ndsv.exe
File opened (read-only)	\??\J:	ndsv.exe
File opened (read-only)	\??\K:	ndsv.exe
File opened (read-only)	\??\M:	ndsv.exe
File opened (read-only)	\??\X:	izha.exe
File opened (read-only)	\??\F:	ndsv.exe
File opened (read-only)	\??\N:	ndsv.exe
File opened (read-only)	\??\W:	izha.exe
File opened (read-only)	\??\Z:	izha.exe
File opened (read-only)	\??\T:	ndsv.exe
File opened (read-only)	\??\E:	ndsv.exe
File opened (read-only)	\??\L:	ndsv.exe
File opened (read-only)	\??\R:	ndsv.exe
File opened (read-only)	\??\N:	izha.exe
File opened (read-only)	\??\U:	izha.exe
File opened (read-only)	\??\B:	ndsv.exe
File opened (read-only)	\??\Q:	izha.exe
File opened (read-only)	\??\S:	izha.exe
File opened (read-only)	\??\Q:	ndsv.exe
File opened (read-only)	\??\X:	ndsv.exe
File opened (read-only)	\??\B:	izha.exe
File opened (read-only)	\??\H:	izha.exe
File opened (read-only)	\??\O:	izha.exe

Drops file in System32 directory 64 IoCs

Processes:

csrss.execsrss.exelsass.exe lsass.exeservices.exe services.exe~Paraysutki_VM_Community~smss.exe smss.exendsv.exeizha.exesmss.exedsnv.execsrss.exewinlogon.exe smss.exe~Paraysutki_VM_Community~8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe winlogon.execsrss.exe services.exenamw.exewinlogon.exeservices.exe~Paraysutki_VM_Community~lsass.exeservices.exeservices.exelsass.exelsass.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	ndsv.exe
File opened for modification	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	izha.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	ndsv.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	dsnv.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	izha.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	namw.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\Desktop.sysm	izha.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	ndsv.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe

Drops file in Program Files directory 28 IoCs

Processes:

ndsv.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\PushEdit.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	ndsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe lsass.exe smss.exe services.exe winlogon.exe csrss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	services.exe

Modifies registry class 64 IoCs

Processes:

ndsv.execsrss.exesmss.exeizha.execsrss.exe smss.exe8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exesmss.exe winlogon.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe services.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	izha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	izha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	izha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	izha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	izha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	izha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	izha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	izha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	izha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
3220	ping.exe
1140	ping.exe
4648	ping.exe
5108	ping.exe
3912	ping.exe
4640	ping.exe
4088	ping.exe
1884	ping.exe
3920	ping.exe
3380	ping.exe
4240	ping.exe
4560	ping.exe
1352	ping.exe
4612	ping.exe
5096	ping.exe
3476	ping.exe
4496	ping.exe
4788	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exeservices.exewinlogon.exe

pid	process
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
3156	csrss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
4304	smss.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
2748	services.exe
4060	winlogon.exe
4060	winlogon.exe
4060	winlogon.exe
4060	winlogon.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3916 rundll32.exe
4800 rundll32.exe
4028 rundll32.exe
552 rundll32.exe
4568 rundll32.exe
4688 rundll32.exe

pid	process
3916	rundll32.exe
4800	rundll32.exe
4028	rundll32.exe
552	rundll32.exe
4568	rundll32.exe
4688	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe csrss.execsrss.exe smss.exendsv.exesmss.exe csrss.execsrss.execsrss.exe csrss.exe smss.exesmss.exe smss.exelsass.exelsass.exeizha.exelsass.exesmss.exe services.exeservices.exelsass.exe services.exelsass.exe dsnv.exenamw.exelsass.exe services.exe services.exe services.exe csrss.execsrss.exe winlogon.exewinlogon.execsrss.execsrss.exe winlogon.exe smss.exewinlogon.exe smss.exe lsass.exe~Paraysutki_VM_Community~csrss.exesmss.exelsass.exe smss.exe csrss.exe services.exelsass.exesmss.exeservices.exe smss.exe lsass.exe winlogon.exewinlogon.exe lsass.exelsass.exe winlogon.exewinlogon.exe services.exe~Paraysutki_VM_Community~services.exeservices.exe ~Paraysutki_VM_Community~

pid	process
632	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
3156	csrss.exe
316	csrss.exe
4304	smss.exe
4536	ndsv.exe
3692	smss.exe
3748	csrss.exe
3000	csrss.exe
3896	csrss.exe
4184	csrss.exe
4076	smss.exe
396	smss.exe
1184	smss.exe
1572	lsass.exe
1252	lsass.exe
4016	izha.exe
3220	lsass.exe
3400	smss.exe
2748	services.exe
4300	services.exe
1604	lsass.exe
4788	services.exe
4952	lsass.exe
2192	dsnv.exe
4856	namw.exe
372	lsass.exe
2756	services.exe
3260	services.exe
428	services.exe
1260	csrss.exe
3764	csrss.exe
4060	winlogon.exe
3312	winlogon.exe
4388	csrss.exe
4180	csrss.exe
3508	winlogon.exe
5096	smss.exe
3476	winlogon.exe
4968	smss.exe
4608	lsass.exe
3160	~Paraysutki_VM_Community~
4680	csrss.exe
1548	smss.exe
4848	lsass.exe
1508	smss.exe
3316	csrss.exe
632	services.exe
4012	lsass.exe
4280	smss.exe
800	services.exe
3896	smss.exe
3820	lsass.exe
5036	winlogon.exe
3604	winlogon.exe
932	lsass.exe
1748	lsass.exe
3492	winlogon.exe
4332	winlogon.exe
4008	services.exe
3620	~Paraysutki_VM_Community~
2264	services.exe
3488	services.exe
960	~Paraysutki_VM_Community~

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe csrss.exesmss.execsrss.exe smss.exe csrss.execsrss.exesmss.exesmss.exelsass.exe

description	pid	process	target process
PID 632 wrote to memory of 4472	632	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
PID 632 wrote to memory of 4472	632	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
PID 632 wrote to memory of 4472	632	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
PID 4472 wrote to memory of 3156	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	csrss.exe
PID 4472 wrote to memory of 3156	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	csrss.exe
PID 4472 wrote to memory of 3156	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	csrss.exe
PID 3156 wrote to memory of 316	3156	csrss.exe	csrss.exe
PID 3156 wrote to memory of 316	3156	csrss.exe	csrss.exe
PID 3156 wrote to memory of 316	3156	csrss.exe	csrss.exe
PID 4472 wrote to memory of 4304	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	smss.exe
PID 4472 wrote to memory of 4304	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	smss.exe
PID 4472 wrote to memory of 4304	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	smss.exe
PID 632 wrote to memory of 4536	632	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	ndsv.exe
PID 632 wrote to memory of 4536	632	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	ndsv.exe
PID 632 wrote to memory of 4536	632	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	ndsv.exe
PID 4304 wrote to memory of 3692	4304	smss.exe	smss.exe
PID 4304 wrote to memory of 3692	4304	smss.exe	smss.exe
PID 4304 wrote to memory of 3692	4304	smss.exe	smss.exe
PID 316 wrote to memory of 3748	316	csrss.exe	csrss.exe
PID 316 wrote to memory of 3748	316	csrss.exe	csrss.exe
PID 316 wrote to memory of 3748	316	csrss.exe	csrss.exe
PID 3692 wrote to memory of 3000	3692	smss.exe	csrss.exe
PID 3692 wrote to memory of 3000	3692	smss.exe	csrss.exe
PID 3692 wrote to memory of 3000	3692	smss.exe	csrss.exe
PID 3748 wrote to memory of 3896	3748	csrss.exe	csrss.exe
PID 3748 wrote to memory of 3896	3748	csrss.exe	csrss.exe
PID 3748 wrote to memory of 3896	3748	csrss.exe	csrss.exe
PID 3000 wrote to memory of 4184	3000	csrss.exe	csrss.exe
PID 3000 wrote to memory of 4184	3000	csrss.exe	csrss.exe
PID 3000 wrote to memory of 4184	3000	csrss.exe	csrss.exe
PID 316 wrote to memory of 4076	316	csrss.exe	smss.exe
PID 316 wrote to memory of 4076	316	csrss.exe	smss.exe
PID 316 wrote to memory of 4076	316	csrss.exe	smss.exe
PID 4076 wrote to memory of 396	4076	smss.exe	smss.exe
PID 4076 wrote to memory of 396	4076	smss.exe	smss.exe
PID 4076 wrote to memory of 396	4076	smss.exe	smss.exe
PID 3692 wrote to memory of 1184	3692	smss.exe	smss.exe
PID 3692 wrote to memory of 1184	3692	smss.exe	smss.exe
PID 3692 wrote to memory of 1184	3692	smss.exe	smss.exe
PID 4472 wrote to memory of 1572	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	lsass.exe
PID 4472 wrote to memory of 1572	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	lsass.exe
PID 4472 wrote to memory of 1572	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	lsass.exe
PID 316 wrote to memory of 1252	316	csrss.exe	lsass.exe
PID 316 wrote to memory of 1252	316	csrss.exe	lsass.exe
PID 316 wrote to memory of 1252	316	csrss.exe	lsass.exe
PID 3748 wrote to memory of 4016	3748	csrss.exe	izha.exe
PID 3748 wrote to memory of 4016	3748	csrss.exe	izha.exe
PID 3748 wrote to memory of 4016	3748	csrss.exe	izha.exe
PID 1184 wrote to memory of 3400	1184	smss.exe	smss.exe
PID 1184 wrote to memory of 3400	1184	smss.exe	smss.exe
PID 1184 wrote to memory of 3400	1184	smss.exe	smss.exe
PID 3692 wrote to memory of 3220	3692	smss.exe	lsass.exe
PID 3692 wrote to memory of 3220	3692	smss.exe	lsass.exe
PID 3692 wrote to memory of 3220	3692	smss.exe	lsass.exe
PID 3692 wrote to memory of 4788	3692	smss.exe	services.exe
PID 3692 wrote to memory of 4788	3692	smss.exe	services.exe
PID 3692 wrote to memory of 4788	3692	smss.exe	services.exe
PID 4472 wrote to memory of 4300	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	services.exe
PID 4472 wrote to memory of 4300	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	services.exe
PID 4472 wrote to memory of 4300	4472	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe	services.exe
PID 4304 wrote to memory of 2192	4304	smss.exe	dsnv.exe
PID 4304 wrote to memory of 2192	4304	smss.exe	dsnv.exe
PID 4304 wrote to memory of 2192	4304	smss.exe	dsnv.exe
PID 1572 wrote to memory of 4952	1572	lsass.exe	lsass.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

lsass.exe smss.exe services.exe winlogon.exe csrss.exe 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe

C:\Users\Admin\AppData\Local\Temp\8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
"C:\Users\Admin\AppData\Local\Temp\8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
C:\Users\Admin\AppData\Local\Temp\8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4472

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:316

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3896

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\izha.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\izha.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:396

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:428

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3160

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:3632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:2504

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:4640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:1260

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:3220

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:4560

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:1004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:4664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:4340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
3⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3692

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3400

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\namw.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\namw.exe" smss
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:372

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2756

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4052

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
- Loads dropped DLL
PID:4316

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
PID:2184

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:4568

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:3028

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:4588

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:5116

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:3912

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:3380

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4240

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:372

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:1384

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:3848

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3492

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:960

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:4800

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1352

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:4276

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:800

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:1420

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:5052

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:1140

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:4612

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:2492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:4956

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsnv.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\dsnv.exe" smss
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4952

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3764

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:800

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:4028

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:1596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:1552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:1716

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:3548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:392

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:3656

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:1884

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:3476

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:3920

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4300

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3260

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3508

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4680

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:932

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Loads dropped DLL
PID:4456

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Loads dropped DLL
PID:1624

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Loads dropped DLL
PID:1184

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Drops file in System32 directory
PID:4712

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:4688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:2100

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:5048

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:4976

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:5108

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:4496

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:4788

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:316

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:3308

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:1344

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
- Suspicious use of FindShellTrayWindow
PID:3916

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
3⤵
PID:1796

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
3⤵
PID:632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
3⤵
PID:4124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
3⤵
PID:4820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
3⤵
PID:2064

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
3⤵
- Runs ping.exe
PID:4648

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:4088

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:5096

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
3⤵
PID:3092

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\ndsv.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\ndsv.exe" 8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01
2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8454227e6f55c92b8dd7d5d64fe135951323600303ab361306ac13d7aaaf6b01.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\dsnv.exe

Filesize
76KB

MD5
67ac959e4e272777f8a9828721638b00

SHA1
bfeafa7504d8b043926ae75abe50c93c7d4abc32

SHA256
00de14b68b4af970830f4a4f3837f262225f9fd3819305f57d93c9bb7390372d

SHA512
5c7746323ca6ecd2ef344d38b74b07b5c23df7ddf5f3cdc60c56f819e4c940e6989ee0a54943611ca91a18e581c3240f732f15d9cb7b85499b97d39b48f418f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\izha.exe

Filesize
76KB

MD5
67ac959e4e272777f8a9828721638b00

SHA1
bfeafa7504d8b043926ae75abe50c93c7d4abc32

SHA256
00de14b68b4af970830f4a4f3837f262225f9fd3819305f57d93c9bb7390372d

SHA512
5c7746323ca6ecd2ef344d38b74b07b5c23df7ddf5f3cdc60c56f819e4c940e6989ee0a54943611ca91a18e581c3240f732f15d9cb7b85499b97d39b48f418f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ndsv.exe

Filesize
76KB

MD5
f1c37f83e4ecfbfc04fd4e83f05c14ad

SHA1
16fb76c063e9669d5e7211b279f0abf8c60d7bee

SHA256
d24a976af7fdfa25bb7a79c56083506433a2dee234cdf4b1786db97486de035f

SHA512
d477496ca4346450ef85c32820b3ff7f13100718e35ead83f8698e6c5244f107bafedf2d2339a211f4e1dc1cbce8768a8a0f6272a2435ddb0507bb73be3e4079

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
fefcdc099f3eb8354185cd49ec0170dc

SHA1
d584f2a609381082bccb4faa0f53b89f15cdc3c8

SHA256
e001bc071334ea2cf2239932a0a410cb2fe3907a2e094a0d14cf3da2103edc24

SHA512
6cf9b6e8e202f77e505a6ee740b774a65dce411bd32d5ad04be9f11ea821de672f2d2ab22c1915e0c5e86ed7ecfe6be8b84c1b6f9471edade77b553ef4c3b47d

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\izha.exe

Filesize
76KB

MD5
67ac959e4e272777f8a9828721638b00

SHA1
bfeafa7504d8b043926ae75abe50c93c7d4abc32

SHA256
00de14b68b4af970830f4a4f3837f262225f9fd3819305f57d93c9bb7390372d

SHA512
5c7746323ca6ecd2ef344d38b74b07b5c23df7ddf5f3cdc60c56f819e4c940e6989ee0a54943611ca91a18e581c3240f732f15d9cb7b85499b97d39b48f418f0

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\ndsv.exe

Filesize
76KB

MD5
f1c37f83e4ecfbfc04fd4e83f05c14ad

SHA1
16fb76c063e9669d5e7211b279f0abf8c60d7bee

SHA256
d24a976af7fdfa25bb7a79c56083506433a2dee234cdf4b1786db97486de035f

SHA512
d477496ca4346450ef85c32820b3ff7f13100718e35ead83f8698e6c5244f107bafedf2d2339a211f4e1dc1cbce8768a8a0f6272a2435ddb0507bb73be3e4079

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
4e4beb2d3b7e34c090e53a8537999587

SHA1
72f9883b07c4b5c2f1b93d126603fd9b2d6f7984

SHA256
038e3b437cc6f7907d70f899452b51c63b0080035e1817339d271ce7bb1d62f6

SHA512
6728c0cf006dbb27ce2f31c2518f76d1f7f7b1ad6135368cc65747dff8012682e4c7119d224d2e9a46d59a8818e42f0c316a90d71a0907c8f9158a6c25e350a4

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
67ac959e4e272777f8a9828721638b00

SHA1
bfeafa7504d8b043926ae75abe50c93c7d4abc32

SHA256
00de14b68b4af970830f4a4f3837f262225f9fd3819305f57d93c9bb7390372d

SHA512
5c7746323ca6ecd2ef344d38b74b07b5c23df7ddf5f3cdc60c56f819e4c940e6989ee0a54943611ca91a18e581c3240f732f15d9cb7b85499b97d39b48f418f0

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
67ac959e4e272777f8a9828721638b00

SHA1
bfeafa7504d8b043926ae75abe50c93c7d4abc32

SHA256
00de14b68b4af970830f4a4f3837f262225f9fd3819305f57d93c9bb7390372d

SHA512
5c7746323ca6ecd2ef344d38b74b07b5c23df7ddf5f3cdc60c56f819e4c940e6989ee0a54943611ca91a18e581c3240f732f15d9cb7b85499b97d39b48f418f0

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
67ac959e4e272777f8a9828721638b00

SHA1
bfeafa7504d8b043926ae75abe50c93c7d4abc32

SHA256
00de14b68b4af970830f4a4f3837f262225f9fd3819305f57d93c9bb7390372d

SHA512
5c7746323ca6ecd2ef344d38b74b07b5c23df7ddf5f3cdc60c56f819e4c940e6989ee0a54943611ca91a18e581c3240f732f15d9cb7b85499b97d39b48f418f0

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/316-160-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/316-208-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/316-446-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/316-149-0x0000000000000000-mapping.dmp

Download
memory/372-271-0x0000000000000000-mapping.dmp

Download
memory/372-308-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/396-212-0x0000000000000000-mapping.dmp

Download
memory/396-218-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/396-246-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/428-306-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/428-309-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/428-290-0x0000000000000000-mapping.dmp

Download
memory/552-368-0x0000000000000000-mapping.dmp

Download
memory/632-364-0x0000000000000000-mapping.dmp

Download
memory/800-381-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/800-373-0x0000000000000000-mapping.dmp

Download
memory/932-394-0x0000000000000000-mapping.dmp

Download
memory/960-420-0x0000000000000000-mapping.dmp

Download
memory/1184-214-0x0000000000000000-mapping.dmp

Download
memory/1184-451-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1184-453-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1252-226-0x0000000000000000-mapping.dmp

Download
memory/1260-292-0x0000000000000000-mapping.dmp

Download
memory/1508-352-0x0000000000000000-mapping.dmp

Download
memory/1548-338-0x0000000000000000-mapping.dmp

Download
memory/1572-221-0x0000000000000000-mapping.dmp

Download
memory/1604-310-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1604-262-0x0000000000000000-mapping.dmp

Download
memory/1748-397-0x0000000000000000-mapping.dmp

Download
memory/1748-408-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1748-418-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2192-258-0x0000000000000000-mapping.dmp

Download
memory/2264-416-0x0000000000000000-mapping.dmp

Download
memory/2748-260-0x0000000000000000-mapping.dmp

Download
memory/2756-304-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-458-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-411-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-288-0x0000000000000000-mapping.dmp

Download
memory/3000-185-0x0000000000000000-mapping.dmp

Download
memory/3156-140-0x0000000000000000-mapping.dmp

Download
memory/3160-339-0x0000000000000000-mapping.dmp

Download
memory/3220-249-0x0000000000000000-mapping.dmp

Download
memory/3260-305-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3260-316-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3260-289-0x0000000000000000-mapping.dmp

Download
memory/3312-312-0x0000000000000000-mapping.dmp

Download
memory/3316-363-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3316-354-0x0000000000000000-mapping.dmp

Download
memory/3316-355-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3320-421-0x0000000000000000-mapping.dmp

Download
memory/3400-248-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3400-291-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3400-242-0x0000000000000000-mapping.dmp

Download
memory/3476-341-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3476-326-0x0000000000000000-mapping.dmp

Download
memory/3488-434-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3488-438-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3492-400-0x0000000000000000-mapping.dmp

Download
memory/3508-325-0x0000000000000000-mapping.dmp

Download
memory/3508-459-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3508-413-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-393-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-390-0x0000000000000000-mapping.dmp

Download
memory/3604-425-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3620-412-0x0000000000000000-mapping.dmp

Download
memory/3692-202-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3692-166-0x0000000000000000-mapping.dmp

Download
memory/3692-448-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3748-176-0x0000000000000000-mapping.dmp

Download
memory/3764-314-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3764-301-0x0000000000000000-mapping.dmp

Download
memory/3764-307-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3820-386-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3820-409-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3820-377-0x0000000000000000-mapping.dmp

Download
memory/3896-216-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3896-187-0x0000000000000000-mapping.dmp

Download
memory/3896-383-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3896-203-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3896-387-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3896-375-0x0000000000000000-mapping.dmp

Download
memory/4008-406-0x0000000000000000-mapping.dmp

Download
memory/4012-367-0x0000000000000000-mapping.dmp

Download
memory/4016-234-0x0000000000000000-mapping.dmp

Download
memory/4060-311-0x0000000000000000-mapping.dmp

Download
memory/4076-205-0x0000000000000000-mapping.dmp

Download
memory/4180-322-0x0000000000000000-mapping.dmp

Download
memory/4180-328-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4184-217-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4184-204-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4184-197-0x0000000000000000-mapping.dmp

Download
memory/4280-365-0x0000000000000000-mapping.dmp

Download
memory/4300-257-0x0000000000000000-mapping.dmp

Download
memory/4304-150-0x0000000000000000-mapping.dmp

Download
memory/4316-450-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4316-452-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4332-423-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4332-410-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4332-403-0x0000000000000000-mapping.dmp

Download
memory/4388-313-0x0000000000000000-mapping.dmp

Download
memory/4456-439-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4456-435-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4472-449-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4472-148-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4472-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4472-134-0x0000000000000000-mapping.dmp

Download
memory/4536-158-0x0000000000000000-mapping.dmp

Download
memory/4608-343-0x0000000000000000-mapping.dmp

Download
memory/4680-340-0x0000000000000000-mapping.dmp

Download
memory/4788-256-0x0000000000000000-mapping.dmp

Download
memory/4848-362-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4848-353-0x0000000000000000-mapping.dmp

Download
memory/4856-274-0x0000000000000000-mapping.dmp

Download
memory/4952-447-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4952-259-0x0000000000000000-mapping.dmp

Download
memory/4952-407-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4968-342-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4968-333-0x0000000000000000-mapping.dmp

Download
memory/5036-385-0x0000000000000000-mapping.dmp

Download
memory/5096-327-0x0000000000000000-mapping.dmp

Download