5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87

Analysis

max time kernel
193s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Size

205KB
MD5

2e70061e9f2ddd5a4f4e7785ba55659e
SHA1

2e9c08bc22b64bdfd3ed43620e10231ce589b008
SHA256

5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87
SHA512

a9ba810a6cb44735475c4c41da5312126589ef0bd192350caec2fb521041da3e437f6fbb05e2e59b2e200d8b2fe9d9f8d257f3d71b1fda3621b0b9eee1eeea03
SSDEEP

3072:4qhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:4qhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	nuxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe

Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csnv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nuxa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nuxa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csnv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
4692	csnv.exe
3616	csrss.exe
3840	csrss.exe
464	csrss.exe
1932	csrss.exe
5040	nuxa.exe
3012	smss.exe
1364	smss.exe
4404	csrss.exe
4976	csrss.exe
2520	smss.exe
3388	smss.exe
4444	smss.exe
2712	smss.exe
456	lsass.exe
3332	lsass.exe
3880	lsass.exe
4188	services.exe
3648	services.exe
1616	services.exe
3384	lsass.exe
4928	winlogon.exe
3148	services.exe
4588	services.exe
1840	winlogon.exe
1504	winlogon.exe
2164	csrss.exe
2908	csrss.exe
4596	csrss.exe
4772	winlogon.exe
4336	csrss.exe
1496	csrss.exe
2328	smss.exe
3444	~Paraysutki_VM_Community~
1812	smss.exe
4908	csrss.exe
1324	smss.exe
4304	smss.exe
1128	smss.exe
216	smss.exe
3996	lsass.exe
1508	lsass.exe
3140	lsass.exe
3108	lsass.exe
3628	lsass.exe
2544	lsass.exe
1520	services.exe
4380	services.exe
876	services.exe
4268	services.exe
4604	services.exe
3128	services.exe
2336	winlogon.exe
3832	winlogon.exe
1100	winlogon.exe
2392	winlogon.exe
4180	winlogon.exe
4392	winlogon.exe
3428	~Paraysutki_VM_Community~
3508	~Paraysutki_VM_Community~
1472	~Paraysutki_VM_Community~
4416	~Paraysutki_VM_Community~
4128	rundll32.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	smss.exe

Loads dropped DLL 63 IoCs

pid	Process
3616	csrss.exe
3840	csrss.exe
464	csrss.exe
1932	csrss.exe
3012	smss.exe
1364	smss.exe
4404	csrss.exe
4976	csrss.exe
2520	smss.exe
3388	smss.exe
4444	smss.exe
2712	smss.exe
3880	lsass.exe
3332	lsass.exe
456	lsass.exe
4188	services.exe
3648	services.exe
1616	services.exe
3384	lsass.exe
4928	winlogon.exe
3148	services.exe
4588	services.exe
1840	winlogon.exe
1504	winlogon.exe
2164	csrss.exe
2908	csrss.exe
4596	csrss.exe
4772	winlogon.exe
4336	csrss.exe
1496	csrss.exe
2328	smss.exe
3444	~Paraysutki_VM_Community~
1812	smss.exe
4908	csrss.exe
1324	smss.exe
4304	smss.exe
1128	smss.exe
216	smss.exe
3996	lsass.exe
1508	lsass.exe
3140	lsass.exe
3108	lsass.exe
3628	lsass.exe
2544	lsass.exe
1520	services.exe
4380	services.exe
876	services.exe
4268	services.exe
4604	services.exe
3128	services.exe
2336	winlogon.exe
3832	winlogon.exe
1100	winlogon.exe
2392	winlogon.exe
4180	winlogon.exe
4392	winlogon.exe
3428	~Paraysutki_VM_Community~
3508	~Paraysutki_VM_Community~
1472	~Paraysutki_VM_Community~
4416	~Paraysutki_VM_Community~
4128	rundll32.exe
1496	winlogon.exe
3628	~Paraysutki_VM_Community~

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	nuxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	nuxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	csnv.exe
File opened (read-only)	\??\W:	csnv.exe
File opened (read-only)	\??\Z:	csnv.exe
File opened (read-only)	\??\Q:	nuxa.exe
File opened (read-only)	\??\F:	csnv.exe
File opened (read-only)	\??\H:	csnv.exe
File opened (read-only)	\??\R:	csnv.exe
File opened (read-only)	\??\S:	nuxa.exe
File opened (read-only)	\??\I:	nuxa.exe
File opened (read-only)	\??\M:	nuxa.exe
File opened (read-only)	\??\I:	csnv.exe
File opened (read-only)	\??\J:	csnv.exe
File opened (read-only)	\??\L:	csnv.exe
File opened (read-only)	\??\Q:	csnv.exe
File opened (read-only)	\??\Y:	csnv.exe
File opened (read-only)	\??\E:	nuxa.exe
File opened (read-only)	\??\N:	nuxa.exe
File opened (read-only)	\??\P:	nuxa.exe
File opened (read-only)	\??\Y:	nuxa.exe
File opened (read-only)	\??\P:	csnv.exe
File opened (read-only)	\??\S:	csnv.exe
File opened (read-only)	\??\H:	nuxa.exe
File opened (read-only)	\??\U:	nuxa.exe
File opened (read-only)	\??\E:	csnv.exe
File opened (read-only)	\??\T:	csnv.exe
File opened (read-only)	\??\K:	nuxa.exe
File opened (read-only)	\??\R:	nuxa.exe
File opened (read-only)	\??\X:	nuxa.exe
File opened (read-only)	\??\B:	csnv.exe
File opened (read-only)	\??\K:	csnv.exe
File opened (read-only)	\??\M:	csnv.exe
File opened (read-only)	\??\G:	nuxa.exe
File opened (read-only)	\??\O:	nuxa.exe
File opened (read-only)	\??\V:	nuxa.exe
File opened (read-only)	\??\L:	nuxa.exe
File opened (read-only)	\??\Z:	nuxa.exe
File opened (read-only)	\??\N:	csnv.exe
File opened (read-only)	\??\O:	csnv.exe
File opened (read-only)	\??\V:	csnv.exe
File opened (read-only)	\??\X:	csnv.exe
File opened (read-only)	\??\B:	nuxa.exe
File opened (read-only)	\??\F:	nuxa.exe
File opened (read-only)	\??\U:	csnv.exe
File opened (read-only)	\??\J:	nuxa.exe
File opened (read-only)	\??\T:	nuxa.exe
File opened (read-only)	\??\W:	nuxa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	rundll32.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csnv.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	nuxa.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	csnv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	csnv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	csnv.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	csnv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	csnv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	csnv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	nuxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nuxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	nuxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	nuxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	nuxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	nuxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	nuxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	nuxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	nuxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	nuxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	nuxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	nuxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csnv.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
1720	ping.exe
4448	ping.exe
4316	ping.exe
4212	ping.exe
3580	ping.exe
5072	ping.exe
456	ping.exe
736	ping.exe
1708	ping.exe
1616	ping.exe
4472	ping.exe
4992	ping.exe
1928	ping.exe
3068	ping.exe
2112	ping.exe
5076	ping.exe
2784	ping.exe
3940	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3616	csrss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
456	lsass.exe
3880	Process not Found
3880	Process not Found
3880	Process not Found
3880	Process not Found
3880	Process not Found
3880	Process not Found
3880	Process not Found
3880	Process not Found
3880	Process not Found
3880	Process not Found
3880	Process not Found
3880	Process not Found
4188	services.exe
4188	services.exe
4188	services.exe
4188	services.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2712	rundll32.exe
752	rundll32.exe
2212	rundll32.exe
4260	rundll32.exe
4592	rundll32.exe
1492	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4832	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
4692	csnv.exe
3616	csrss.exe
3840	csrss.exe
464	csrss.exe
1932	csrss.exe
5040	nuxa.exe
3012	smss.exe
1364	smss.exe
4404	csrss.exe
4976	csrss.exe
2520	smss.exe
3388	smss.exe
4444	smss.exe
2712	smss.exe
3880	lsass.exe
456	lsass.exe
3332	lsass.exe
4188	services.exe
3648	services.exe
1616	services.exe
3384	lsass.exe
4928	winlogon.exe
4588	services.exe
3148	services.exe
1840	winlogon.exe
2164	csrss.exe
1504	winlogon.exe
2908	csrss.exe
4772	winlogon.exe
4596	csrss.exe
4336	csrss.exe
1496	csrss.exe
1812	smss.exe
3444	~Paraysutki_VM_Community~
2328	smss.exe
4908	csrss.exe
1324	smss.exe
4304	smss.exe
1128	smss.exe
216	smss.exe
3996	lsass.exe
1508	lsass.exe
3108	lsass.exe
3628	lsass.exe
3140	lsass.exe
2544	lsass.exe
4380	services.exe
1520	services.exe
876	services.exe
4268	services.exe
4604	services.exe
3128	services.exe
3832	winlogon.exe
2336	winlogon.exe
1100	winlogon.exe
2392	winlogon.exe
4180	winlogon.exe
4392	winlogon.exe
3428	~Paraysutki_VM_Community~
3508	~Paraysutki_VM_Community~
1472	~Paraysutki_VM_Community~
4128	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2152	4832	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	81
PID 4832 wrote to memory of 2152	4832	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	81
PID 4832 wrote to memory of 2152	4832	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	81
PID 4832 wrote to memory of 4692	4832	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	82
PID 4832 wrote to memory of 4692	4832	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	82
PID 4832 wrote to memory of 4692	4832	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	82
PID 2152 wrote to memory of 3616	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	83
PID 2152 wrote to memory of 3616	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	83
PID 2152 wrote to memory of 3616	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	83
PID 3616 wrote to memory of 3840	3616	csrss.exe	84
PID 3616 wrote to memory of 3840	3616	csrss.exe	84
PID 3616 wrote to memory of 3840	3616	csrss.exe	84
PID 3840 wrote to memory of 464	3840	csrss.exe	85
PID 3840 wrote to memory of 464	3840	csrss.exe	85
PID 3840 wrote to memory of 464	3840	csrss.exe	85
PID 464 wrote to memory of 1932	464	csrss.exe	86
PID 464 wrote to memory of 1932	464	csrss.exe	86
PID 464 wrote to memory of 1932	464	csrss.exe	86
PID 464 wrote to memory of 5040	464	csrss.exe	87
PID 464 wrote to memory of 5040	464	csrss.exe	87
PID 464 wrote to memory of 5040	464	csrss.exe	87
PID 3840 wrote to memory of 3012	3840	csrss.exe	88
PID 3840 wrote to memory of 3012	3840	csrss.exe	88
PID 3840 wrote to memory of 3012	3840	csrss.exe	88
PID 3012 wrote to memory of 1364	3012	smss.exe	89
PID 3012 wrote to memory of 1364	3012	smss.exe	89
PID 3012 wrote to memory of 1364	3012	smss.exe	89
PID 1364 wrote to memory of 4404	1364	smss.exe	90
PID 1364 wrote to memory of 4404	1364	smss.exe	90
PID 1364 wrote to memory of 4404	1364	smss.exe	90
PID 4404 wrote to memory of 4976	4404	csrss.exe	91
PID 4404 wrote to memory of 4976	4404	csrss.exe	91
PID 4404 wrote to memory of 4976	4404	csrss.exe	91
PID 1364 wrote to memory of 2520	1364	smss.exe	92
PID 1364 wrote to memory of 2520	1364	smss.exe	92
PID 1364 wrote to memory of 2520	1364	smss.exe	92
PID 2520 wrote to memory of 3388	2520	smss.exe	93
PID 2520 wrote to memory of 3388	2520	smss.exe	93
PID 2520 wrote to memory of 3388	2520	smss.exe	93
PID 2152 wrote to memory of 4444	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	94
PID 2152 wrote to memory of 4444	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	94
PID 2152 wrote to memory of 4444	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	94
PID 4444 wrote to memory of 2712	4444	smss.exe	95
PID 4444 wrote to memory of 2712	4444	smss.exe	95
PID 4444 wrote to memory of 2712	4444	smss.exe	95
PID 1364 wrote to memory of 3332	1364	smss.exe	97
PID 1364 wrote to memory of 3332	1364	smss.exe	97
PID 1364 wrote to memory of 3332	1364	smss.exe	97
PID 3840 wrote to memory of 456	3840	csrss.exe	96
PID 3840 wrote to memory of 456	3840	csrss.exe	96
PID 3840 wrote to memory of 456	3840	csrss.exe	96
PID 2152 wrote to memory of 3880	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	98
PID 2152 wrote to memory of 3880	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	98
PID 2152 wrote to memory of 3880	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	98
PID 2152 wrote to memory of 3648	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	99
PID 2152 wrote to memory of 3648	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	99
PID 2152 wrote to memory of 3648	2152	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe	99
PID 3840 wrote to memory of 4188	3840	csrss.exe	101
PID 3840 wrote to memory of 4188	3840	csrss.exe	101
PID 3840 wrote to memory of 4188	3840	csrss.exe	101
PID 1364 wrote to memory of 1616	1364	smss.exe	100
PID 1364 wrote to memory of 1616	1364	smss.exe	100
PID 1364 wrote to memory of 1616	1364	smss.exe	100
PID 3880 wrote to memory of 3384	3880	lsass.exe	102

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe

C:\Users\Admin\AppData\Local\Temp\5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
"C:\Users\Admin\AppData\Local\Temp\5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
  C:\Users\Admin\AppData\Local\Temp\5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2152
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3840
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1932
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\nuxa.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\nuxa.exe" csrss
        6⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Enumerates connected drives
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5040
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1364
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4976
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3388
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4772
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3444
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:752
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:5072
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:5076
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:456
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:456
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4188
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3148
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3996
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3140
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4180
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2712
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:1616
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1720
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:3580
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1492
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3628
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        
        PID:4128
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:1120
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:4212
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:736
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:1708
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:1096
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:3492
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4128
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:4220
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2712
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3384
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2164
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4596
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2328
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4304
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1508
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3628
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:876
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3128
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1100
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4392
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1472
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4260
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:3928
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:3068
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:4448
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:2112
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:3648
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4928
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1840
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1496
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4908
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1128
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:216
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3108
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2544
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4380
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4268
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3832
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2392
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3508
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2212
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:4412
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:4812
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:4648
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:4316
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:3940
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:2784
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4592
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1210
    3⤵
    - Runs ping.exe
    PID:4472
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:4992
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:1928
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4416
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im tati.exe
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im wscript.exe
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im sys.exe
    3⤵
    PID:3924
- \??\c:\Documents and Settings\Admin\Application Data\Microsoft\csnv.exe
  "c:\Documents and Settings\Admin\Application Data\Microsoft\csnv.exe" 5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87
  2⤵
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4692

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
1⤵
- Loads dropped DLL
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c66b25b3e70174800ceb29c00733450ec54eac08a5cc2b0e66c4847b97b0e87.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csnv.exe

Filesize
76KB

MD5
74a0cdc2cb516281e8c5011293f30e32

SHA1
8c1ed010b5f614d3129319d2560341fd65ce65d3

SHA256
637779fab546f07a2d982763976ebef9e98b586cdd69daa3f0191acddebe4f14

SHA512
dcfb97f716c2078277fc2fa4c0215fcc00933f2fc190525393f287ee7a46f917a4f79a831c69c6916b939d073f10841fbd4710ef9e6673bd92ccc76e713c5f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nuxa.exe

Filesize
76KB

MD5
4c9a8c3f52f12d0fbff44100049b3928

SHA1
8169f552e7dfbef23eca55d94a6e9da91e0c4ace

SHA256
716d97792f4e56bda747571da3a9333197fd91c65a571e17c30597318abde828

SHA512
e73ee82bbb54065e4222647c418c4c346c4265650fcd11928e57d4cb445026cb7e8d309463142d4f985a3ae55c01cd8a64e5352592659bb78c0bfe96f600418d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
1ab7a248463e9dc273c700e848fadb34

SHA1
6eb0c900d0a43e3f2e80376587cfea8890af5002

SHA256
eede15dfd308e9bc36b7cbdfc0517c8d473eb4b0922a3a1e0d4e493fc8a35907

SHA512
5067355aca5350794c19c70c4f2cabeef981206e9bb38cbcb4307c2307ce01810c67277d0ebeaaa2a3de4fd6252483af97108b7985230625696582eb51b15924

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
13c6c5413ee9507bc2235b410f8a29c7

SHA1
d51c42e1c2f9d1f2b2623026bd29419258999cec

SHA256
019f817c1e197099d55dac98fc80888c52bc0c868d826c80942a44ee6e9bd66d

SHA512
83a6de02945662746c5c6584994727b9ea4c15a15e4ec72a707f1299c43433bfb6168506debe35e40cc45f6019d2f8a26d9fb5791440120565a1f227cf49bdb1

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\csnv.exe

Filesize
76KB

MD5
74a0cdc2cb516281e8c5011293f30e32

SHA1
8c1ed010b5f614d3129319d2560341fd65ce65d3

SHA256
637779fab546f07a2d982763976ebef9e98b586cdd69daa3f0191acddebe4f14

SHA512
dcfb97f716c2078277fc2fa4c0215fcc00933f2fc190525393f287ee7a46f917a4f79a831c69c6916b939d073f10841fbd4710ef9e6673bd92ccc76e713c5f8a

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\nuxa.exe

Filesize
76KB

MD5
4c9a8c3f52f12d0fbff44100049b3928

SHA1
8169f552e7dfbef23eca55d94a6e9da91e0c4ace

SHA256
716d97792f4e56bda747571da3a9333197fd91c65a571e17c30597318abde828

SHA512
e73ee82bbb54065e4222647c418c4c346c4265650fcd11928e57d4cb445026cb7e8d309463142d4f985a3ae55c01cd8a64e5352592659bb78c0bfe96f600418d

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
0d9d84b19e7c06d44a6fc284b30c8bc5

SHA1
bf6ea0233a8762617b55b51a6d8a276699cb16f3

SHA256
151de147c820c96e45d121551fe08778b700f1b6887c3ac4eaa5ec996b15a90b

SHA512
00a5c22aca657ea77d98d01935792eec68cb9d07efc6a382b033d5f3a862bca84bd695707b4a013c5196e49b05a0ad6433c9bd2ea69551554a8cb465e76a79b5

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
4c9a8c3f52f12d0fbff44100049b3928

SHA1
8169f552e7dfbef23eca55d94a6e9da91e0c4ace

SHA256
716d97792f4e56bda747571da3a9333197fd91c65a571e17c30597318abde828

SHA512
e73ee82bbb54065e4222647c418c4c346c4265650fcd11928e57d4cb445026cb7e8d309463142d4f985a3ae55c01cd8a64e5352592659bb78c0bfe96f600418d

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
d4328911b4b081bdd7d624c765295384

SHA1
04f1b55825558857a7a49de9cf908e93f728d4d4

SHA256
77cfee9c070e0a31df1c72553ca3934b6a2a9953082979b79fc57e4129d3c13b

SHA512
45ed70070c2ec03415f9595a7fb56bd5067cd32e2f674cc8804acbf3120a5d626129be6b9fe09d172109c7bbb2c5af1dc2d988b368c382077ffe6e79269337fc

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/216-350-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/216-338-0x0000000000000000-mapping.dmp

Download
memory/456-240-0x0000000000000000-mapping.dmp

Download
memory/464-166-0x0000000000000000-mapping.dmp

Download
memory/752-335-0x0000000000000000-mapping.dmp

Download
memory/876-367-0x0000000000000000-mapping.dmp

Download
memory/1100-391-0x0000000000000000-mapping.dmp

Download
memory/1128-331-0x0000000000000000-mapping.dmp

Download
memory/1324-339-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1324-324-0x0000000000000000-mapping.dmp

Download
memory/1364-195-0x0000000000000000-mapping.dmp

Download
memory/1364-238-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1364-427-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1364-201-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1472-409-0x0000000000000000-mapping.dmp

Download
memory/1496-307-0x0000000000000000-mapping.dmp

Download
memory/1496-423-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1504-290-0x0000000000000000-mapping.dmp

Download
memory/1508-344-0x0000000000000000-mapping.dmp

Download
memory/1520-365-0x0000000000000000-mapping.dmp

Download
memory/1616-262-0x0000000000000000-mapping.dmp

Download
memory/1812-317-0x0000000000000000-mapping.dmp

Download
memory/1840-286-0x0000000000000000-mapping.dmp

Download
memory/1840-313-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1840-428-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1932-178-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1932-173-0x0000000000000000-mapping.dmp

Download
memory/2152-430-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2152-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2152-134-0x0000000000000000-mapping.dmp

Download
memory/2164-289-0x0000000000000000-mapping.dmp

Download
memory/2328-311-0x0000000000000000-mapping.dmp

Download
memory/2336-384-0x0000000000000000-mapping.dmp

Download
memory/2392-393-0x0000000000000000-mapping.dmp

Download
memory/2392-402-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2520-214-0x0000000000000000-mapping.dmp

Download
memory/2544-357-0x0000000000000000-mapping.dmp

Download
memory/2544-363-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-237-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-255-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-416-0x0000000000000000-mapping.dmp

Download
memory/2712-232-0x0000000000000000-mapping.dmp

Download
memory/2908-292-0x0000000000000000-mapping.dmp

Download
memory/3012-189-0x0000000000000000-mapping.dmp

Download
memory/3108-351-0x0000000000000000-mapping.dmp

Download
memory/3128-387-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3128-378-0x0000000000000000-mapping.dmp

Download
memory/3140-356-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3140-364-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3140-349-0x0000000000000000-mapping.dmp

Download
memory/3148-284-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3148-276-0x0000000000000000-mapping.dmp

Download
memory/3148-429-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3332-239-0x0000000000000000-mapping.dmp

Download
memory/3384-426-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3384-264-0x0000000000000000-mapping.dmp

Download
memory/3384-270-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3388-225-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3388-220-0x0000000000000000-mapping.dmp

Download
memory/3388-254-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3428-406-0x0000000000000000-mapping.dmp

Download
memory/3444-312-0x0000000000000000-mapping.dmp

Download
memory/3508-407-0x0000000000000000-mapping.dmp

Download
memory/3616-147-0x0000000000000000-mapping.dmp

Download
memory/3628-352-0x0000000000000000-mapping.dmp

Download
memory/3648-260-0x0000000000000000-mapping.dmp

Download
memory/3832-386-0x0000000000000000-mapping.dmp

Download
memory/3840-171-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3840-155-0x0000000000000000-mapping.dmp

Download
memory/3840-431-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3880-243-0x0000000000000000-mapping.dmp

Download
memory/3996-342-0x0000000000000000-mapping.dmp

Download
memory/4180-394-0x0000000000000000-mapping.dmp

Download
memory/4180-408-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4188-261-0x0000000000000000-mapping.dmp

Download
memory/4268-383-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4268-374-0x0000000000000000-mapping.dmp

Download
memory/4304-327-0x0000000000000000-mapping.dmp

Download
memory/4304-341-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4336-301-0x0000000000000000-mapping.dmp

Download
memory/4336-432-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4336-315-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4380-366-0x0000000000000000-mapping.dmp

Download
memory/4392-405-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4392-400-0x0000000000000000-mapping.dmp

Download
memory/4404-202-0x0000000000000000-mapping.dmp

Download
memory/4444-226-0x0000000000000000-mapping.dmp

Download
memory/4588-285-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4588-287-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4588-279-0x0000000000000000-mapping.dmp

Download
memory/4596-298-0x0000000000000000-mapping.dmp

Download
memory/4596-309-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4604-373-0x0000000000000000-mapping.dmp

Download
memory/4604-385-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4692-140-0x0000000000000000-mapping.dmp

Download
memory/4772-300-0x0000000000000000-mapping.dmp

Download
memory/4772-308-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4908-318-0x0000000000000000-mapping.dmp

Download
memory/4908-330-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4928-273-0x0000000000000000-mapping.dmp

Download
memory/4976-213-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4976-208-0x0000000000000000-mapping.dmp

Download
memory/5040-180-0x0000000000000000-mapping.dmp

Download