6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234

Analysis

max time kernel
240s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Size

205KB
MD5

22b20ae43f73b7b108458323817c6866
SHA1

1b406f493917fecc54a6534c059f495d43fda46d
SHA256

6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234
SHA512

b43f752a15b05052c71c6e5dc5a2be00b9e2caa49b5c2b2d9d506e3506e78eab42271f451c2e898691ea160d2f429be7b22c6abd7b94c787ee82a847b3d539d2
SSDEEP

3072:bqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:bqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csna.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csna.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csna.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 53 IoCs

pid	Process
1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1852	csrss.exe
1736	csrss.exe
768	csrss.exe
1296	csrss.exe
1672	csna.exe
1764	smss.exe
2028	smss.exe
1112	csrss.exe
1124	csrss.exe
1464	smss.exe
1316	smss.exe
1600	lsass.exe
2008	smss.exe
1276	smss.exe
292	lsass.exe
1588	lsass.exe
664	services.exe
1648	services.exe
908	lsass.exe
1364	lsass.exe
1256	lsass.exe
876	services.exe
844	services.exe
1916	services.exe
800	winlogon.exe
1128	winlogon.exe
1360	services.exe
1488	winlogon.exe
1112	winlogon.exe
936	winlogon.exe
1824	~Paraysutki_VM_Community~
1608	~Paraysutki_VM_Community~
620	~Paraysutki_VM_Community~
2012	winlogon.exe
1628	csrss.exe
1908	csrss.exe
1240	csrss.exe
1084	smss.exe
1544	csrss.exe
1192	csrss.exe
1548	csrss.exe
1604	smss.exe
1648	smss.exe
560	smss.exe
1784	lsass.exe
1548	smss.exe
288	lsass.exe
1528	smss.exe
1176	lsass.exe
1824	services.exe
664	lsass.exe
800	lsass.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

Loads dropped DLL 64 IoCs

pid	Process
1972	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1972	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1736	csrss.exe
1736	csrss.exe
1736	csrss.exe
768	csrss.exe
768	csrss.exe
1296	csrss.exe
768	csrss.exe
768	csrss.exe
1736	csrss.exe
1736	csrss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
2028	smss.exe
2028	smss.exe
2028	smss.exe
1112	csrss.exe
1112	csrss.exe
1124	csrss.exe
2028	smss.exe
2028	smss.exe
1464	smss.exe
1464	smss.exe
1316	smss.exe
2028	smss.exe
2028	smss.exe
1600	lsass.exe
1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
2008	smss.exe
2008	smss.exe
1276	smss.exe
1736	csrss.exe
1736	csrss.exe
2028	smss.exe
1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1736	csrss.exe
292	lsass.exe
1736	csrss.exe
1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
2028	smss.exe
1588	lsass.exe
664	services.exe
1648	services.exe
1588	lsass.exe
1600	lsass.exe
292	lsass.exe
908	lsass.exe
1256	lsass.exe
1364	lsass.exe
1648	services.exe
664	services.exe
1648	services.exe
664	services.exe
1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1736	csrss.exe
2028	smss.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	csna.exe
File opened (read-only)	\??\J:	csna.exe
File opened (read-only)	\??\L:	csna.exe
File opened (read-only)	\??\N:	csna.exe
File opened (read-only)	\??\O:	csna.exe
File opened (read-only)	\??\W:	csna.exe
File opened (read-only)	\??\G:	csna.exe
File opened (read-only)	\??\H:	csna.exe
File opened (read-only)	\??\I:	csna.exe
File opened (read-only)	\??\U:	csna.exe
File opened (read-only)	\??\V:	csna.exe
File opened (read-only)	\??\X:	csna.exe
File opened (read-only)	\??\B:	csna.exe
File opened (read-only)	\??\F:	csna.exe
File opened (read-only)	\??\P:	csna.exe
File opened (read-only)	\??\S:	csna.exe
File opened (read-only)	\??\T:	csna.exe
File opened (read-only)	\??\Z:	csna.exe
File opened (read-only)	\??\E:	csna.exe
File opened (read-only)	\??\K:	csna.exe
File opened (read-only)	\??\M:	csna.exe
File opened (read-only)	\??\Q:	csna.exe
File opened (read-only)	\??\R:	csna.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	csna.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	csna.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	csna.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	csna.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	csna.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	csna.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	csna.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	csna.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	csna.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	csna.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	csna.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	csna.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	csna.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	csna.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	csna.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	csna.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	csna.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	csna.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	csna.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
912	ping.exe
620	ping.exe
1616	ping.exe
1464	ping.exe
1800	ping.exe
1584	ping.exe
1536	ping.exe
1680	ping.exe
1476	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1764	smss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1852	csrss.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe
1600	lsass.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
1972	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
1852	csrss.exe
1736	csrss.exe
768	csrss.exe
1296	csrss.exe
1672	csna.exe
1764	smss.exe
2028	smss.exe
1112	csrss.exe
1124	csrss.exe
1464	smss.exe
1316	smss.exe
1600	lsass.exe
2008	smss.exe
1276	smss.exe
292	lsass.exe
1648	services.exe
1588	lsass.exe
664	services.exe
1364	lsass.exe
1256	lsass.exe
908	lsass.exe
844	services.exe
876	services.exe
1916	services.exe
800	winlogon.exe
1128	winlogon.exe
1360	services.exe
1488	winlogon.exe
936	winlogon.exe
1112	winlogon.exe
620	~Paraysutki_VM_Community~
1824	~Paraysutki_VM_Community~
1608	~Paraysutki_VM_Community~
1628	csrss.exe
1908	csrss.exe
1240	csrss.exe
1084	smss.exe
1544	csrss.exe
2012	winlogon.exe
1192	csrss.exe
1548	csrss.exe
1604	smss.exe
1648	smss.exe
560	smss.exe
1784	lsass.exe
1548	smss.exe
288	lsass.exe
1176	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1176	1972	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	28
PID 1972 wrote to memory of 1176	1972	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	28
PID 1972 wrote to memory of 1176	1972	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	28
PID 1972 wrote to memory of 1176	1972	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	28
PID 1176 wrote to memory of 1852	1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	29
PID 1176 wrote to memory of 1852	1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	29
PID 1176 wrote to memory of 1852	1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	29
PID 1176 wrote to memory of 1852	1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	29
PID 1852 wrote to memory of 1736	1852	csrss.exe	30
PID 1852 wrote to memory of 1736	1852	csrss.exe	30
PID 1852 wrote to memory of 1736	1852	csrss.exe	30
PID 1852 wrote to memory of 1736	1852	csrss.exe	30
PID 1736 wrote to memory of 768	1736	csrss.exe	31
PID 1736 wrote to memory of 768	1736	csrss.exe	31
PID 1736 wrote to memory of 768	1736	csrss.exe	31
PID 1736 wrote to memory of 768	1736	csrss.exe	31
PID 768 wrote to memory of 1296	768	csrss.exe	32
PID 768 wrote to memory of 1296	768	csrss.exe	32
PID 768 wrote to memory of 1296	768	csrss.exe	32
PID 768 wrote to memory of 1296	768	csrss.exe	32
PID 768 wrote to memory of 1672	768	csrss.exe	33
PID 768 wrote to memory of 1672	768	csrss.exe	33
PID 768 wrote to memory of 1672	768	csrss.exe	33
PID 768 wrote to memory of 1672	768	csrss.exe	33
PID 1736 wrote to memory of 1764	1736	csrss.exe	34
PID 1736 wrote to memory of 1764	1736	csrss.exe	34
PID 1736 wrote to memory of 1764	1736	csrss.exe	34
PID 1736 wrote to memory of 1764	1736	csrss.exe	34
PID 1764 wrote to memory of 2028	1764	smss.exe	35
PID 1764 wrote to memory of 2028	1764	smss.exe	35
PID 1764 wrote to memory of 2028	1764	smss.exe	35
PID 1764 wrote to memory of 2028	1764	smss.exe	35
PID 2028 wrote to memory of 1112	2028	smss.exe	36
PID 2028 wrote to memory of 1112	2028	smss.exe	36
PID 2028 wrote to memory of 1112	2028	smss.exe	36
PID 2028 wrote to memory of 1112	2028	smss.exe	36
PID 1112 wrote to memory of 1124	1112	csrss.exe	37
PID 1112 wrote to memory of 1124	1112	csrss.exe	37
PID 1112 wrote to memory of 1124	1112	csrss.exe	37
PID 1112 wrote to memory of 1124	1112	csrss.exe	37
PID 2028 wrote to memory of 1464	2028	smss.exe	38
PID 2028 wrote to memory of 1464	2028	smss.exe	38
PID 2028 wrote to memory of 1464	2028	smss.exe	38
PID 2028 wrote to memory of 1464	2028	smss.exe	38
PID 1464 wrote to memory of 1316	1464	smss.exe	39
PID 1464 wrote to memory of 1316	1464	smss.exe	39
PID 1464 wrote to memory of 1316	1464	smss.exe	39
PID 1464 wrote to memory of 1316	1464	smss.exe	39
PID 2028 wrote to memory of 1600	2028	smss.exe	40
PID 2028 wrote to memory of 1600	2028	smss.exe	40
PID 2028 wrote to memory of 1600	2028	smss.exe	40
PID 2028 wrote to memory of 1600	2028	smss.exe	40
PID 1176 wrote to memory of 2008	1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	41
PID 1176 wrote to memory of 2008	1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	41
PID 1176 wrote to memory of 2008	1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	41
PID 1176 wrote to memory of 2008	1176	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe	41
PID 2008 wrote to memory of 1276	2008	smss.exe	42
PID 2008 wrote to memory of 1276	2008	smss.exe	42
PID 2008 wrote to memory of 1276	2008	smss.exe	42
PID 2008 wrote to memory of 1276	2008	smss.exe	42
PID 1736 wrote to memory of 292	1736	csrss.exe	43
PID 1736 wrote to memory of 292	1736	csrss.exe	43
PID 1736 wrote to memory of 292	1736	csrss.exe	43
PID 1736 wrote to memory of 292	1736	csrss.exe	43

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

C:\Users\Admin\AppData\Local\Temp\6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
"C:\Users\Admin\AppData\Local\Temp\6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
  C:\Users\Admin\AppData\Local\Temp\6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1176
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1736
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1296
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\csna.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\csna.exe" csrss
        6⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Enumerates connected drives
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1672
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2028
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1176
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        
        PID:876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:556
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1680
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:1616
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1476
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:936
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:292
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1256
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:664
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1128
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:1464
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:912
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:1800
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:800
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:652
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:1712
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1276
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1588
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:908
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1916
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1360
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:936
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2012
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:620
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    PID:964
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:1584
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:1536
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1210
    3⤵
    - Runs ping.exe
    PID:620
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
    3⤵
    PID:876
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im tati.exe
    3⤵
    PID:828
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im sys.exe
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im wscript.exe
    3⤵
    PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csna.exe

Filesize
76KB

MD5
7c8b8098d704fd7db426505773d11ec5

SHA1
1d7f868fbbf997548fb661e47a89607c09c01c20

SHA256
859ab616daec6fcede5f50178c46e525d6a1cdf6b3f316d1bc5daa16f00094ac

SHA512
98fe09066ae4227852ec6979de4999c211dfdae40bd6eb0f74eefa0c52e0a2bc06c8c14bfafe2ecea9cfa142d6e84c5d38eb2acc0a56b519d243fd1234dc98d1

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\csna.exe

Filesize
76KB

MD5
7c8b8098d704fd7db426505773d11ec5

SHA1
1d7f868fbbf997548fb661e47a89607c09c01c20

SHA256
859ab616daec6fcede5f50178c46e525d6a1cdf6b3f316d1bc5daa16f00094ac

SHA512
98fe09066ae4227852ec6979de4999c211dfdae40bd6eb0f74eefa0c52e0a2bc06c8c14bfafe2ecea9cfa142d6e84c5d38eb2acc0a56b519d243fd1234dc98d1

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
a3a04743085c51bd659c87a7b6b296e0

SHA1
94b6821c1a9022a6fd6d32cddf27fa3bfa84dd60

SHA256
a790744eb05a3b400969e37ee4a8396f7aa6daae1553e47941e56275d8c58996

SHA512
c2e5c384bc426cab44d4de6680a5a2fcb6b0f30dc84d269328e2937557f5743a3b9be32911d0d25e63134ba1e0cf289d116d6423fac556e85e327f6971572369

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\6cb93200c651327443e766c98a6dff8a7a3c6af3bd2acc266d451fb41be10234.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csna.exe

Filesize
76KB

MD5
7c8b8098d704fd7db426505773d11ec5

SHA1
1d7f868fbbf997548fb661e47a89607c09c01c20

SHA256
859ab616daec6fcede5f50178c46e525d6a1cdf6b3f316d1bc5daa16f00094ac

SHA512
98fe09066ae4227852ec6979de4999c211dfdae40bd6eb0f74eefa0c52e0a2bc06c8c14bfafe2ecea9cfa142d6e84c5d38eb2acc0a56b519d243fd1234dc98d1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csna.exe

Filesize
76KB

MD5
7c8b8098d704fd7db426505773d11ec5

SHA1
1d7f868fbbf997548fb661e47a89607c09c01c20

SHA256
859ab616daec6fcede5f50178c46e525d6a1cdf6b3f316d1bc5daa16f00094ac

SHA512
98fe09066ae4227852ec6979de4999c211dfdae40bd6eb0f74eefa0c52e0a2bc06c8c14bfafe2ecea9cfa142d6e84c5d38eb2acc0a56b519d243fd1234dc98d1

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ac1d74547bdedcbc7cf3d0468a0f0274

SHA1
aed1a6b2ad72bacd569555a8c3fc8a6b424f8d32

SHA256
8664b32ca05f284740f6d22dffb4e5efb51db2141c645cf4d23d29bd84b3a61e

SHA512
6d08ae1df05efe877252f5f4bc3608d825c16b9e737d39effbf99b577ed1f95340ede8c2ad593d8c252e6a78e0cc939cd74cd066a70c1a92e58cf421c6dd646d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/292-239-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/292-209-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/292-195-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/560-365-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/560-353-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/664-241-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/664-212-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/664-378-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/800-250-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/800-366-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/800-237-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/844-244-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/876-268-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/876-243-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/908-207-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/908-283-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1112-293-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1124-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1128-249-0x00000000005B0000-0x00000000005DA000-memory.dmp

Filesize
168KB

Download
memory/1128-236-0x00000000005B0000-0x00000000005DA000-memory.dmp

Filesize
168KB

Download
memory/1176-99-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1176-352-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1192-320-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1256-210-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1256-286-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1276-251-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1276-179-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1296-104-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1316-163-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1316-162-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1360-231-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1360-263-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1364-208-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1396-380-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1464-167-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1488-238-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1548-321-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1548-331-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1604-361-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1648-213-0x0000000000680000-0x00000000006AA000-memory.dmp

Filesize
168KB

Download
memory/1648-240-0x0000000000680000-0x00000000006AA000-memory.dmp

Filesize
168KB

Download
memory/1648-242-0x0000000000680000-0x00000000006AA000-memory.dmp

Filesize
168KB

Download
memory/1648-211-0x0000000000680000-0x00000000006AA000-memory.dmp

Filesize
168KB

Download
memory/1736-347-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1736-103-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1736-274-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/1764-160-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/1764-159-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/1784-358-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1784-381-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1828-379-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1852-183-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/1852-101-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/1908-290-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1916-248-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1916-230-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1972-182-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1972-96-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1972-95-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1972-181-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2008-178-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/2012-350-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-271-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2028-348-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2028-161-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download