0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a

Analysis

max time kernel
267s
max time network
353s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Size

205KB
MD5

6eae993ff5f359c8796199027c009b58
SHA1

f346b43723d8bcad06fc93b203f3663aff1df039
SHA256

0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a
SHA512

3c07b2baa988c6d095af1a158bb04381b941f16db8b470ddb01fe3600857dfb10d3e143716215f1c18f21841b356c3ca931e563c2eca07f885d37b08af09c7c9
SSDEEP

3072:hqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:hqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	wdsa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	scna.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wdsa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	scna.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
788	wdsa.exe
996	csrss.exe
1872	csrss.exe
1456	csrss.exe
1248	csrss.exe
1952	smss.exe
1332	scna.exe
1876	smss.exe
948	csrss.exe
1772	csrss.exe
1196	smss.exe
1580	smss.exe
1548	smss.exe
1304	smss.exe
1504	lsass.exe
924	lsass.exe
1600	lsass.exe
1508	lsass.exe
1560	lsass.exe
1972	lsass.exe
1612	services.exe
880	services.exe
1984	services.exe
1204	csrss.exe
1532	csrss.exe
1788	smss.exe
1964	smss.exe
944	services.exe
1816	services.exe
2000	winlogon.exe
1784	winlogon.exe
1056	winlogon.exe
1772	lsass.exe
1584	~Paraysutki_VM_Community~
1240	~Paraysutki_VM_Community~
1692	~Paraysutki_VM_Community~
1924	lsass.exe
876	services.exe
1348	winlogon.exe
2032	csrss.exe
1068	winlogon.exe
1652	csrss.exe
1136	winlogon.exe
1604	services.exe
736	csrss.exe
1728	csrss.exe
1580	smss.exe
1428	winlogon.exe
1744	smss.exe
1308	winlogon.exe
1284	smss.exe
1108	smss.exe
1488	lsass.exe
620	lsass.exe
1496	lsass.exe
1532	~Paraysutki_VM_Community~
320	lsass.exe
324	services.exe
2020	services.exe
612	services.exe
1728	winlogon.exe
2092	services.exe
2100	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	lsass.exe

Loads dropped DLL 64 IoCs

pid	Process
752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
996	csrss.exe
996	csrss.exe
996	csrss.exe
1872	csrss.exe
1872	csrss.exe
1872	csrss.exe
1456	csrss.exe
1456	csrss.exe
1248	csrss.exe
1872	csrss.exe
1872	csrss.exe
1952	smss.exe
1456	csrss.exe
1456	csrss.exe
1952	smss.exe
1952	smss.exe
1876	smss.exe
1876	smss.exe
1876	smss.exe
948	csrss.exe
948	csrss.exe
1772	csrss.exe
1876	smss.exe
1876	smss.exe
1196	smss.exe
1196	smss.exe
1580	smss.exe
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
1548	smss.exe
1548	smss.exe
1304	smss.exe
1872	csrss.exe
1876	smss.exe
1872	csrss.exe
1876	smss.exe
1504	lsass.exe
924	lsass.exe
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
1600	lsass.exe
1872	csrss.exe
1600	lsass.exe
924	lsass.exe
1876	smss.exe
924	lsass.exe
1504	lsass.exe
1600	lsass.exe
1508	lsass.exe
1560	lsass.exe
1972	lsass.exe
1876	smss.exe
1872	csrss.exe
1612	services.exe
880	services.exe
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
1508	lsass.exe

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	scna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	scna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	wdsa.exe
File opened (read-only)	\??\Q:	wdsa.exe
File opened (read-only)	\??\Z:	wdsa.exe
File opened (read-only)	\??\H:	scna.exe
File opened (read-only)	\??\O:	scna.exe
File opened (read-only)	\??\Y:	scna.exe
File opened (read-only)	\??\J:	wdsa.exe
File opened (read-only)	\??\V:	wdsa.exe
File opened (read-only)	\??\F:	scna.exe
File opened (read-only)	\??\K:	scna.exe
File opened (read-only)	\??\V:	scna.exe
File opened (read-only)	\??\Z:	scna.exe
File opened (read-only)	\??\B:	wdsa.exe
File opened (read-only)	\??\H:	wdsa.exe
File opened (read-only)	\??\L:	wdsa.exe
File opened (read-only)	\??\W:	wdsa.exe
File opened (read-only)	\??\G:	scna.exe
File opened (read-only)	\??\L:	scna.exe
File opened (read-only)	\??\F:	wdsa.exe
File opened (read-only)	\??\U:	wdsa.exe
File opened (read-only)	\??\X:	wdsa.exe
File opened (read-only)	\??\B:	scna.exe
File opened (read-only)	\??\U:	scna.exe
File opened (read-only)	\??\N:	scna.exe
File opened (read-only)	\??\G:	wdsa.exe
File opened (read-only)	\??\I:	wdsa.exe
File opened (read-only)	\??\M:	wdsa.exe
File opened (read-only)	\??\S:	wdsa.exe
File opened (read-only)	\??\T:	wdsa.exe
File opened (read-only)	\??\J:	scna.exe
File opened (read-only)	\??\X:	scna.exe
File opened (read-only)	\??\K:	wdsa.exe
File opened (read-only)	\??\O:	wdsa.exe
File opened (read-only)	\??\Y:	wdsa.exe
File opened (read-only)	\??\P:	scna.exe
File opened (read-only)	\??\Q:	scna.exe
File opened (read-only)	\??\R:	scna.exe
File opened (read-only)	\??\N:	wdsa.exe
File opened (read-only)	\??\R:	wdsa.exe
File opened (read-only)	\??\E:	scna.exe
File opened (read-only)	\??\I:	scna.exe
File opened (read-only)	\??\M:	scna.exe
File opened (read-only)	\??\P:	wdsa.exe
File opened (read-only)	\??\S:	scna.exe
File opened (read-only)	\??\T:	scna.exe
File opened (read-only)	\??\W:	scna.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\Desktop.sysm	scna.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	wdsa.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	\??\c:\windows\SysWOW64\Desktop.sysm	wdsa.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	wdsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	wdsa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	scna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	scna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	scna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	scna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	scna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	wdsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	wdsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	scna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	wdsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	wdsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	scna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	scna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	wdsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	wdsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	scna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
752	ping.exe
1228	ping.exe
2800	ping.exe
1656	ping.exe
1260	ping.exe
1588	ping.exe
2120	ping.exe
2504	ping.exe
1248	ping.exe
1788	ping.exe
2132	ping.exe
2512	ping.exe
2784	ping.exe
368	ping.exe
1552	ping.exe
2148	ping.exe
2520	ping.exe
2792	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
996	csrss.exe
996	csrss.exe
996	csrss.exe
996	csrss.exe
996	csrss.exe
996	csrss.exe
996	csrss.exe
996	csrss.exe
996	csrss.exe
996	csrss.exe
1952	smss.exe
1952	smss.exe
1952	smss.exe
1952	smss.exe
1952	smss.exe
1952	smss.exe
1952	smss.exe
1952	smss.exe
1952	smss.exe
1952	smss.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1504	lsass.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe
1612	services.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
552	rundll32.exe
1160	rundll32.exe
1636	rundll32.exe
536	rundll32.exe
2424	rundll32.exe
2740	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
788	wdsa.exe
996	csrss.exe
1872	csrss.exe
1456	csrss.exe
1248	csrss.exe
1952	smss.exe
1332	scna.exe
1876	smss.exe
948	csrss.exe
1772	csrss.exe
1196	smss.exe
1580	smss.exe
1548	smss.exe
1304	smss.exe
1504	lsass.exe
924	lsass.exe
1600	lsass.exe
1508	lsass.exe
1560	lsass.exe
1972	lsass.exe
1612	services.exe
1984	services.exe
1204	csrss.exe
1532	csrss.exe
1788	smss.exe
1964	smss.exe
1816	services.exe
1772	lsass.exe
944	services.exe
1784	winlogon.exe
1056	winlogon.exe
1924	lsass.exe
1692	~Paraysutki_VM_Community~
1240	~Paraysutki_VM_Community~
2032	csrss.exe
1068	winlogon.exe
2000	winlogon.exe
876	services.exe
1348	winlogon.exe
1584	~Paraysutki_VM_Community~
1136	winlogon.exe
1652	csrss.exe
1604	services.exe
736	csrss.exe
1728	csrss.exe
1580	smss.exe
1428	winlogon.exe
1744	smss.exe
1284	smss.exe
1308	winlogon.exe
1108	smss.exe
1488	lsass.exe
1496	lsass.exe
620	lsass.exe
1532	~Paraysutki_VM_Community~
320	lsass.exe
324	services.exe
2020	services.exe
612	services.exe
1728	winlogon.exe
2092	services.exe
2100	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1480	752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	28
PID 752 wrote to memory of 1480	752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	28
PID 752 wrote to memory of 1480	752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	28
PID 752 wrote to memory of 1480	752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	28
PID 752 wrote to memory of 788	752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	29
PID 752 wrote to memory of 788	752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	29
PID 752 wrote to memory of 788	752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	29
PID 752 wrote to memory of 788	752	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	29
PID 1480 wrote to memory of 996	1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	30
PID 1480 wrote to memory of 996	1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	30
PID 1480 wrote to memory of 996	1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	30
PID 1480 wrote to memory of 996	1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	30
PID 996 wrote to memory of 1872	996	csrss.exe	31
PID 996 wrote to memory of 1872	996	csrss.exe	31
PID 996 wrote to memory of 1872	996	csrss.exe	31
PID 996 wrote to memory of 1872	996	csrss.exe	31
PID 1872 wrote to memory of 1456	1872	csrss.exe	32
PID 1872 wrote to memory of 1456	1872	csrss.exe	32
PID 1872 wrote to memory of 1456	1872	csrss.exe	32
PID 1872 wrote to memory of 1456	1872	csrss.exe	32
PID 1456 wrote to memory of 1248	1456	csrss.exe	33
PID 1456 wrote to memory of 1248	1456	csrss.exe	33
PID 1456 wrote to memory of 1248	1456	csrss.exe	33
PID 1456 wrote to memory of 1248	1456	csrss.exe	33
PID 1872 wrote to memory of 1952	1872	csrss.exe	34
PID 1872 wrote to memory of 1952	1872	csrss.exe	34
PID 1872 wrote to memory of 1952	1872	csrss.exe	34
PID 1872 wrote to memory of 1952	1872	csrss.exe	34
PID 1456 wrote to memory of 1332	1456	csrss.exe	36
PID 1456 wrote to memory of 1332	1456	csrss.exe	36
PID 1456 wrote to memory of 1332	1456	csrss.exe	36
PID 1456 wrote to memory of 1332	1456	csrss.exe	36
PID 1952 wrote to memory of 1876	1952	smss.exe	35
PID 1952 wrote to memory of 1876	1952	smss.exe	35
PID 1952 wrote to memory of 1876	1952	smss.exe	35
PID 1952 wrote to memory of 1876	1952	smss.exe	35
PID 1876 wrote to memory of 948	1876	smss.exe	37
PID 1876 wrote to memory of 948	1876	smss.exe	37
PID 1876 wrote to memory of 948	1876	smss.exe	37
PID 1876 wrote to memory of 948	1876	smss.exe	37
PID 948 wrote to memory of 1772	948	csrss.exe	38
PID 948 wrote to memory of 1772	948	csrss.exe	38
PID 948 wrote to memory of 1772	948	csrss.exe	38
PID 948 wrote to memory of 1772	948	csrss.exe	38
PID 1876 wrote to memory of 1196	1876	smss.exe	39
PID 1876 wrote to memory of 1196	1876	smss.exe	39
PID 1876 wrote to memory of 1196	1876	smss.exe	39
PID 1876 wrote to memory of 1196	1876	smss.exe	39
PID 1196 wrote to memory of 1580	1196	smss.exe	40
PID 1196 wrote to memory of 1580	1196	smss.exe	40
PID 1196 wrote to memory of 1580	1196	smss.exe	40
PID 1196 wrote to memory of 1580	1196	smss.exe	40
PID 1480 wrote to memory of 1548	1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	41
PID 1480 wrote to memory of 1548	1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	41
PID 1480 wrote to memory of 1548	1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	41
PID 1480 wrote to memory of 1548	1480	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe	41
PID 1548 wrote to memory of 1304	1548	smss.exe	42
PID 1548 wrote to memory of 1304	1548	smss.exe	42
PID 1548 wrote to memory of 1304	1548	smss.exe	42
PID 1548 wrote to memory of 1304	1548	smss.exe	42
PID 1872 wrote to memory of 1504	1872	csrss.exe	43
PID 1872 wrote to memory of 1504	1872	csrss.exe	43
PID 1872 wrote to memory of 1504	1872	csrss.exe	43
PID 1872 wrote to memory of 1504	1872	csrss.exe	43

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

C:\Users\Admin\AppData\Local\Temp\0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
"C:\Users\Admin\AppData\Local\Temp\0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
  C:\Users\Admin\AppData\Local\Temp\0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1480
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1872
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1248
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scna.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\scna.exe" csrss
        6⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Enumerates connected drives
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1332
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1508
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1636
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2120
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2132
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        9⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        9⤵
        Runs ping.exe
        
        PID:2148
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        9⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        9⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        9⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        9⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        9⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1816
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        9⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2424
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2512
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        9⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        9⤵
        Runs ping.exe
        
        PID:2520
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2504
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        9⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        9⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        9⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        9⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        9⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1160
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1228
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1588
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:1552
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:920
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1504
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1972
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:880
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1136
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:552
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:368
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:1260
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:1788
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:612
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:1044
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:1688
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1304
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1600
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1560
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1984
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:944
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1784
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1348
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:736
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:612
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        
        PID:2348
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2740
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:2784
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:2792
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:2800
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:2940
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1240
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:536
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:752
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:1248
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1210
    3⤵
    - Runs ping.exe
    PID:1656
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im tati.exe
    3⤵
    PID:852
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im wscript.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im sys.exe
    3⤵
    PID:1096
- \??\c:\Documents and Settings\Admin\Application Data\Microsoft\wdsa.exe
  "c:\Documents and Settings\Admin\Application Data\Microsoft\wdsa.exe" 0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a
  2⤵
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\scna.exe

Filesize
76KB

MD5
4c080dbb57d2129d29f7cd09e28d8cd6

SHA1
b27fb211f319c0c7d391e4c746b0501434d57a14

SHA256
0720d356c5ec5c5fbda25cdd6837fa4a7492576fa60f9104a5b1e70911a616bc

SHA512
043d89cc861d22fbd9463713928597f3a33d8b43ec146939801b22f5dd12b2c456db6d1f76d18deb87a30985bf43c3376eb3c6c7439c53747547ce6f34062c57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\wdsa.exe

Filesize
76KB

MD5
bd9ad661e0bc9238471aa0ff5f98bba6

SHA1
432ed48c09e06bd86386dccea88414df53c68b33

SHA256
42c71e4f10bef48e59667cb0669d2e7dd09931fbb7f59caf1e26449b2791fcda

SHA512
37a1ff58849bdca5d5367f034788b809068b4b8d731bdfff6b2185a462e9297d68623a92c1b4747b5e18a4c0598a200a8b88abc1b7997cc0bac1b16d38fce622

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scna.exe

Filesize
76KB

MD5
4c080dbb57d2129d29f7cd09e28d8cd6

SHA1
b27fb211f319c0c7d391e4c746b0501434d57a14

SHA256
0720d356c5ec5c5fbda25cdd6837fa4a7492576fa60f9104a5b1e70911a616bc

SHA512
043d89cc861d22fbd9463713928597f3a33d8b43ec146939801b22f5dd12b2c456db6d1f76d18deb87a30985bf43c3376eb3c6c7439c53747547ce6f34062c57

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\wdsa.exe

Filesize
76KB

MD5
bd9ad661e0bc9238471aa0ff5f98bba6

SHA1
432ed48c09e06bd86386dccea88414df53c68b33

SHA256
42c71e4f10bef48e59667cb0669d2e7dd09931fbb7f59caf1e26449b2791fcda

SHA512
37a1ff58849bdca5d5367f034788b809068b4b8d731bdfff6b2185a462e9297d68623a92c1b4747b5e18a4c0598a200a8b88abc1b7997cc0bac1b16d38fce622

Download Submit
\??\c:\windows\SysWOW64\CommandPrompt.Sysm

Filesize
76KB

MD5
fefc88fc60916a4587fd5ed1599ada70

SHA1
58590badc9c93d3ff20d0da14120bda2d3387bd0

SHA256
c20faaec556b0564a644f3c62336fcf363f674aa9bb2265b984be350a7368f9c

SHA512
f3a284d60cf99782db1c67bc6d1070b617f103412a4ead99fa5953e99d336c80f4f7c1b9c941929cb5ef5570d0f8026b1c7b31ec6d0784b46caf752ce6f0dd79

Download Submit
\??\c:\windows\SysWOW64\Desktop.sysm

Filesize
76KB

MD5
fefc88fc60916a4587fd5ed1599ada70

SHA1
58590badc9c93d3ff20d0da14120bda2d3387bd0

SHA256
c20faaec556b0564a644f3c62336fcf363f674aa9bb2265b984be350a7368f9c

SHA512
f3a284d60cf99782db1c67bc6d1070b617f103412a4ead99fa5953e99d336c80f4f7c1b9c941929cb5ef5570d0f8026b1c7b31ec6d0784b46caf752ce6f0dd79

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
4c080dbb57d2129d29f7cd09e28d8cd6

SHA1
b27fb211f319c0c7d391e4c746b0501434d57a14

SHA256
0720d356c5ec5c5fbda25cdd6837fa4a7492576fa60f9104a5b1e70911a616bc

SHA512
043d89cc861d22fbd9463713928597f3a33d8b43ec146939801b22f5dd12b2c456db6d1f76d18deb87a30985bf43c3376eb3c6c7439c53747547ce6f34062c57

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
fefc88fc60916a4587fd5ed1599ada70

SHA1
58590badc9c93d3ff20d0da14120bda2d3387bd0

SHA256
c20faaec556b0564a644f3c62336fcf363f674aa9bb2265b984be350a7368f9c

SHA512
f3a284d60cf99782db1c67bc6d1070b617f103412a4ead99fa5953e99d336c80f4f7c1b9c941929cb5ef5570d0f8026b1c7b31ec6d0784b46caf752ce6f0dd79

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
626ae66dd2d67b3b3f40b7be53cc6782

SHA1
d94f307e2d87a9abc97aa86b112c810bc45d8465

SHA256
ef53e1336f3efc0d25267db7d7d38199f601bcbcc06d4b90a039e5728197b2a6

SHA512
d43dc540007e08e586c23820be8296d3ad8f4e950a26242b0568c27c5deaf57d3bac0fc629d8ab197551ce9dcaf2670cef410ca138a481825e990f1590d1362f

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\0606b4e4dea64c05a6b041dbc2a50276e02efa9fcd194e2d895c1dec9d3d266a.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\scna.exe

Filesize
76KB

MD5
4c080dbb57d2129d29f7cd09e28d8cd6

SHA1
b27fb211f319c0c7d391e4c746b0501434d57a14

SHA256
0720d356c5ec5c5fbda25cdd6837fa4a7492576fa60f9104a5b1e70911a616bc

SHA512
043d89cc861d22fbd9463713928597f3a33d8b43ec146939801b22f5dd12b2c456db6d1f76d18deb87a30985bf43c3376eb3c6c7439c53747547ce6f34062c57

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\scna.exe

Filesize
76KB

MD5
4c080dbb57d2129d29f7cd09e28d8cd6

SHA1
b27fb211f319c0c7d391e4c746b0501434d57a14

SHA256
0720d356c5ec5c5fbda25cdd6837fa4a7492576fa60f9104a5b1e70911a616bc

SHA512
043d89cc861d22fbd9463713928597f3a33d8b43ec146939801b22f5dd12b2c456db6d1f76d18deb87a30985bf43c3376eb3c6c7439c53747547ce6f34062c57

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\wdsa.exe

Filesize
76KB

MD5
bd9ad661e0bc9238471aa0ff5f98bba6

SHA1
432ed48c09e06bd86386dccea88414df53c68b33

SHA256
42c71e4f10bef48e59667cb0669d2e7dd09931fbb7f59caf1e26449b2791fcda

SHA512
37a1ff58849bdca5d5367f034788b809068b4b8d731bdfff6b2185a462e9297d68623a92c1b4747b5e18a4c0598a200a8b88abc1b7997cc0bac1b16d38fce622

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\wdsa.exe

Filesize
76KB

MD5
bd9ad661e0bc9238471aa0ff5f98bba6

SHA1
432ed48c09e06bd86386dccea88414df53c68b33

SHA256
42c71e4f10bef48e59667cb0669d2e7dd09931fbb7f59caf1e26449b2791fcda

SHA512
37a1ff58849bdca5d5367f034788b809068b4b8d731bdfff6b2185a462e9297d68623a92c1b4747b5e18a4c0598a200a8b88abc1b7997cc0bac1b16d38fce622

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
eaccba222f2250fdf8a1ffbd65bef273

SHA1
1d6106112a20d5630e005439a599da8143ca3a7d

SHA256
5252967b2005e27fa8935d9438eca423923dceb410a5980d2775df8c361e3dfc

SHA512
43f93398ccc502f55cb17da18f9e9cc19a1920f0b6ab3e2dd1ce5a43db0c46fbb13d3a0e1f9d5438b832e9e72e3b0a16cc366c349fedadfed60114be5942c0d6

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/320-385-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/620-384-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/752-61-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/752-84-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/752-112-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/752-59-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/924-202-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/924-252-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/924-203-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/924-253-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/944-239-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/944-303-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/996-114-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/996-113-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/1056-280-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1068-311-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1068-281-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1108-368-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1136-314-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1136-301-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1248-123-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1248-117-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1304-191-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1304-214-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1308-373-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1308-383-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1308-346-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1348-282-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1348-371-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1428-344-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/1456-116-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1480-359-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1480-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1480-165-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1508-254-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1508-205-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1532-231-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1532-307-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1560-206-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1560-216-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1580-175-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1600-204-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/1600-201-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/1600-250-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/1604-323-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1652-316-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1652-300-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1728-318-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1744-372-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1744-381-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1772-160-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1816-345-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1872-115-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1872-364-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1876-172-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1876-367-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1876-283-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1924-304-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1952-170-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1952-168-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1964-298-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1964-234-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1972-215-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1972-207-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-390-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download