800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Size

205KB
MD5

2f83967ab54b4c93126cdee6009bb169
SHA1

07048595f55720d2bf0553293c62413ca1f2e4e7
SHA256

800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5
SHA512

a76b59205fb010d636c709c0ddd4ce8a159a793947e582affb4bf256531dfc69e62c9c937794323dc4862524915e99d10a09c3a9b2df38b76d124d501e1620df
SSDEEP

3072:vqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:vqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe

Modifies system executable filetype association 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe

Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	wcsa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wcsa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 7 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe

Disables RegEdit via registry modification 7 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
2008	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
1760	csrss.exe
544	csrss.exe
2020	csrss.exe
1404	csrss.exe
2032	wcsa.exe
1724	smss.exe
1280	smss.exe
1340	csrss.exe
1468	csrss.exe
1504	smss.exe
1360	smss.exe
1940	lsass.exe
1172	lsass.exe
1708	csrss.exe
628	csrss.exe
1992	smss.exe
688	winlogon.exe
1484	lsass.exe
860	lsass.exe
876	services.exe
1788	services.exe
832	csrss.exe
940	csrss.exe
1356	rundll32.exe
1548	conhost.exe
1564	lsass.exe
1688	lsass.exe
1620	services.exe
996	services.exe
1732	winlogon.exe
1328	winlogon.exe
1340	csrss.exe
1516	csrss.exe
1360	smss.exe
1004	smss.exe
1504	smss.exe
1268	lsass.exe
1344	services.exe
1308	services.exe
1472	winlogon.exe
688	winlogon.exe
584	~Paraysutki_VM_Community~
1916	~Paraysutki_VM_Community~
1268	smss.exe
1080	smss.exe
1300	lsass.exe
512	lsass.exe
1868	services.exe
1472	services.exe
584	winlogon.exe
1856	lsass.exe
1660	lsass.exe
940	winlogon.exe
1688	services.exe
1564	csrss.exe
1128	services.exe
1948	csrss.exe
1016	services.exe
1328	services.exe
932	smss.exe
1504	winlogon.exe
2016	winlogon.exe
912	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	csrss.exe

Loads dropped DLL 64 IoCs

pid	Process
960	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
960	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
2008	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
2008	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
544	csrss.exe
544	csrss.exe
544	csrss.exe
2020	csrss.exe
2020	csrss.exe
1404	csrss.exe
2020	csrss.exe
2020	csrss.exe
544	csrss.exe
544	csrss.exe
1724	smss.exe
1724	smss.exe
1724	smss.exe
1280	smss.exe
1280	smss.exe
1280	smss.exe
1340	csrss.exe
1340	csrss.exe
1468	csrss.exe
1280	smss.exe
1280	smss.exe
1504	smss.exe
1504	smss.exe
1360	smss.exe
1280	smss.exe
1280	smss.exe
1940	lsass.exe
1940	lsass.exe
1940	lsass.exe
1172	lsass.exe
1172	lsass.exe
1172	lsass.exe
1708	csrss.exe
1708	csrss.exe
628	csrss.exe
1172	lsass.exe
1172	lsass.exe
1992	smss.exe
1992	smss.exe
688	winlogon.exe
1172	lsass.exe
1172	lsass.exe
1484	lsass.exe
1484	lsass.exe
860	lsass.exe
1172	lsass.exe
1172	lsass.exe
876	services.exe
876	services.exe
876	services.exe
1788	services.exe
1788	services.exe
1788	services.exe
832	csrss.exe
832	csrss.exe
940	csrss.exe
1788	services.exe

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wcsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	wcsa.exe
File opened (read-only)	\??\R:	wcsa.exe
File opened (read-only)	\??\U:	wcsa.exe
File opened (read-only)	\??\B:	wcsa.exe
File opened (read-only)	\??\G:	wcsa.exe
File opened (read-only)	\??\I:	wcsa.exe
File opened (read-only)	\??\K:	wcsa.exe
File opened (read-only)	\??\N:	wcsa.exe
File opened (read-only)	\??\W:	wcsa.exe
File opened (read-only)	\??\Z:	wcsa.exe
File opened (read-only)	\??\F:	wcsa.exe
File opened (read-only)	\??\H:	wcsa.exe
File opened (read-only)	\??\L:	wcsa.exe
File opened (read-only)	\??\T:	wcsa.exe
File opened (read-only)	\??\V:	wcsa.exe
File opened (read-only)	\??\E:	wcsa.exe
File opened (read-only)	\??\P:	wcsa.exe
File opened (read-only)	\??\X:	wcsa.exe
File opened (read-only)	\??\Y:	wcsa.exe
File opened (read-only)	\??\J:	wcsa.exe
File opened (read-only)	\??\M:	wcsa.exe
File opened (read-only)	\??\O:	wcsa.exe
File opened (read-only)	\??\S:	wcsa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	wcsa.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	rundll32.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	wcsa.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	wcsa.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	wcsa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	wcsa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	wcsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	wcsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	wcsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	wcsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	wcsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	wcsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	wcsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe

Runs ping.exe 1 TTPs 21 IoCs

Remote System Discovery

T1018

pid	Process
1540	ping.exe
960	ping.exe
912	ping.exe
1940	ping.exe
2264	ping.exe
2280	ping.exe
2628	ping.exe
996	ping.exe
2272	ping.exe
2620	ping.exe
2612	ping.exe
2776	ping.exe
904	ping.exe
432	ping.exe
1008	ping.exe
1620	ping.exe
2768	ping.exe
1060	ping.exe
1732	ping.exe
1712	ping.exe
2784	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1732	winlogon.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe
1760	csrss.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
848	rundll32.exe
1640	rundll32.exe
1772	rundll32.exe
2520	rundll32.exe
1208	rundll32.exe
2556	rundll32.exe
1948	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
960	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
2008	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
1760	csrss.exe
544	csrss.exe
2020	csrss.exe
1404	csrss.exe
2032	wcsa.exe
1724	smss.exe
1280	smss.exe
1340	csrss.exe
1468	csrss.exe
1504	smss.exe
1360	smss.exe
1940	lsass.exe
1172	lsass.exe
1708	csrss.exe
628	csrss.exe
1992	smss.exe
688	winlogon.exe
1484	lsass.exe
860	lsass.exe
876	services.exe
1788	services.exe
832	csrss.exe
940	csrss.exe
1356	rundll32.exe
1548	conhost.exe
1564	lsass.exe
1688	lsass.exe
1620	services.exe
996	services.exe
1732	winlogon.exe
1328	winlogon.exe
1340	csrss.exe
1516	csrss.exe
1360	smss.exe
1004	smss.exe
1504	smss.exe
1268	lsass.exe
1344	services.exe
1308	services.exe
1472	winlogon.exe
688	winlogon.exe
584	~Paraysutki_VM_Community~
1268	smss.exe
1080	smss.exe
1300	lsass.exe
512	lsass.exe
1868	services.exe
1472	services.exe
584	winlogon.exe
1856	lsass.exe
1660	lsass.exe
940	winlogon.exe
1688	services.exe
1564	csrss.exe
1128	services.exe
1948	csrss.exe
1016	services.exe
1328	services.exe
932	smss.exe
2016	winlogon.exe
1504	winlogon.exe
1976	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 2008	960	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe	27
PID 960 wrote to memory of 2008	960	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe	27
PID 960 wrote to memory of 2008	960	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe	27
PID 960 wrote to memory of 2008	960	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe	27
PID 2008 wrote to memory of 1760	2008	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe	29
PID 2008 wrote to memory of 1760	2008	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe	29
PID 2008 wrote to memory of 1760	2008	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe	29
PID 2008 wrote to memory of 1760	2008	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe	29
PID 1760 wrote to memory of 544	1760	csrss.exe	28
PID 1760 wrote to memory of 544	1760	csrss.exe	28
PID 1760 wrote to memory of 544	1760	csrss.exe	28
PID 1760 wrote to memory of 544	1760	csrss.exe	28
PID 544 wrote to memory of 2020	544	csrss.exe	30
PID 544 wrote to memory of 2020	544	csrss.exe	30
PID 544 wrote to memory of 2020	544	csrss.exe	30
PID 544 wrote to memory of 2020	544	csrss.exe	30
PID 2020 wrote to memory of 1404	2020	csrss.exe	31
PID 2020 wrote to memory of 1404	2020	csrss.exe	31
PID 2020 wrote to memory of 1404	2020	csrss.exe	31
PID 2020 wrote to memory of 1404	2020	csrss.exe	31
PID 2020 wrote to memory of 2032	2020	csrss.exe	32
PID 2020 wrote to memory of 2032	2020	csrss.exe	32
PID 2020 wrote to memory of 2032	2020	csrss.exe	32
PID 2020 wrote to memory of 2032	2020	csrss.exe	32
PID 544 wrote to memory of 1724	544	csrss.exe	33
PID 544 wrote to memory of 1724	544	csrss.exe	33
PID 544 wrote to memory of 1724	544	csrss.exe	33
PID 544 wrote to memory of 1724	544	csrss.exe	33
PID 1724 wrote to memory of 1280	1724	smss.exe	34
PID 1724 wrote to memory of 1280	1724	smss.exe	34
PID 1724 wrote to memory of 1280	1724	smss.exe	34
PID 1724 wrote to memory of 1280	1724	smss.exe	34
PID 1280 wrote to memory of 1340	1280	smss.exe	83
PID 1280 wrote to memory of 1340	1280	smss.exe	83
PID 1280 wrote to memory of 1340	1280	smss.exe	83
PID 1280 wrote to memory of 1340	1280	smss.exe	83
PID 1340 wrote to memory of 1468	1340	csrss.exe	82
PID 1340 wrote to memory of 1468	1340	csrss.exe	82
PID 1340 wrote to memory of 1468	1340	csrss.exe	82
PID 1340 wrote to memory of 1468	1340	csrss.exe	82
PID 1280 wrote to memory of 1504	1280	smss.exe	81
PID 1280 wrote to memory of 1504	1280	smss.exe	81
PID 1280 wrote to memory of 1504	1280	smss.exe	81
PID 1280 wrote to memory of 1504	1280	smss.exe	81
PID 1504 wrote to memory of 1360	1504	smss.exe	70
PID 1504 wrote to memory of 1360	1504	smss.exe	70
PID 1504 wrote to memory of 1360	1504	smss.exe	70
PID 1504 wrote to memory of 1360	1504	smss.exe	70
PID 1280 wrote to memory of 1940	1280	smss.exe	80
PID 1280 wrote to memory of 1940	1280	smss.exe	80
PID 1280 wrote to memory of 1940	1280	smss.exe	80
PID 1280 wrote to memory of 1940	1280	smss.exe	80
PID 1940 wrote to memory of 1172	1940	lsass.exe	36
PID 1940 wrote to memory of 1172	1940	lsass.exe	36
PID 1940 wrote to memory of 1172	1940	lsass.exe	36
PID 1940 wrote to memory of 1172	1940	lsass.exe	36
PID 1172 wrote to memory of 1708	1172	lsass.exe	79
PID 1172 wrote to memory of 1708	1172	lsass.exe	79
PID 1172 wrote to memory of 1708	1172	lsass.exe	79
PID 1172 wrote to memory of 1708	1172	lsass.exe	79
PID 1708 wrote to memory of 628	1708	csrss.exe	78
PID 1708 wrote to memory of 628	1708	csrss.exe	78
PID 1708 wrote to memory of 628	1708	csrss.exe	78
PID 1708 wrote to memory of 628	1708	csrss.exe	78

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe

C:\Users\Admin\AppData\Local\Temp\800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
"C:\Users\Admin\AppData\Local\Temp\800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
  C:\Users\Admin\AppData\Local\Temp\800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2008
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1760
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1268
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1080
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1300
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:512
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1868
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1472
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:584
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:940
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1564
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:932
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        
        PID:1080
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        
        PID:428
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        
        PID:908
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        
        PID:1836
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        
        PID:1376
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        
        PID:876
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        
        PID:2352
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2556
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:2628
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:2620
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:2612
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:2912
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2520
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2768
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1210
    3⤵
    - Runs ping.exe
    PID:2784
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2776
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im tati.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im wscript.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im sys.exe
    3⤵
    PID:3032

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:544
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
  2⤵
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1404
- - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\wcsa.exe
    "c:\Documents and Settings\Admin\Application Data\Microsoft\wcsa.exe" csrss
    3⤵
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2032
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1280
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1940
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1504
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1340
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1016
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:1504
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1976
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:1772
  - - C:\Windows\SysWOW64\ping.exe
      ping www.duniasex.com -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:1008
  - - C:\Windows\SysWOW64\ping.exe
      ping www.data0.net -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:1940
  - - C:\Windows\SysWOW64\ping.exe
      ping www.rasasayang.com.my -n 65500 -l 1210
      4⤵
      Runs ping.exe
      PID:1712
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im tati.exe
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im wscript.exe
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im sys.exe
      4⤵
      PID:2164
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1856
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1660
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1688
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1128
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:912
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    PID:1300
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
  2⤵
  PID:1828
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1640
- C:\Windows\SysWOW64\ping.exe
  ping www.duniasex.com -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:1732
- C:\Windows\SysWOW64\ping.exe
  ping www.data0.net -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:1620
- C:\Windows\SysWOW64\ping.exe
  ping www.rasasayang.com.my -n 65500 -l 1210
  2⤵
  - Runs ping.exe
  PID:996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
  2⤵
  PID:1644
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
  2⤵
  PID:744
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
  2⤵
  - Drops file in System32 directory
  PID:908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im tati.exe
  2⤵
  PID:2084
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im wscript.exe
  2⤵
  PID:2172
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im sys.exe
  2⤵
  PID:2252

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
1⤵
PID:1360
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
  C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1004

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1172
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1992
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    PID:688
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:876
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1788
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      PID:1356
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        
        PID:1548
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1732
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1328
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:584
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        6⤵
        Suspicious use of FindShellTrayWindow
        
        PID:848
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:904
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        6⤵
        
        PID:1592
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        6⤵
        
        PID:1468
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        6⤵
        
        PID:1616
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        6⤵
        
        PID:1988
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        6⤵
        
        PID:1640
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        6⤵
        Runs ping.exe
        
        PID:432
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:1540
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1344
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1360
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1468
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
      4⤵
      Executes dropped EXE
      PID:1916
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:1620
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1564
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:832
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:1948
  - - C:\Windows\SysWOW64\ping.exe
      ping www.duniasex.com -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2264
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\ping.exe
      ping www.rasasayang.com.my -n 65500 -l 1210
      4⤵
      Runs ping.exe
      PID:2280
  - - C:\Windows\SysWOW64\ping.exe
      ping www.data0.net -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2272
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
      4⤵
      PID:2332
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im tati.exe
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im wscript.exe
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe taskkill /f /im sys.exe
      4⤵
      PID:2460
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1484
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1708
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2016
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    PID:636
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
  2⤵
  PID:1868
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1208
- C:\Windows\SysWOW64\ping.exe
  ping www.duniasex.com -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:1060
- C:\Windows\SysWOW64\ping.exe
  ping www.data0.net -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:960
- C:\Windows\SysWOW64\ping.exe
  ping www.rasasayang.com.my -n 65500 -l 1210
  2⤵
  - Runs ping.exe
  PID:912
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
  2⤵
  PID:1724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
  2⤵
  PID:1504
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
  2⤵
  PID:2372
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im tati.exe
  2⤵
  PID:2416
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im wscript.exe
  2⤵
  PID:2448
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe taskkill /f /im sys.exe
  2⤵
  PID:2468

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12665748741733770802-278559107-1120456077-1798314161-2115801603-504781302-558870375"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:996

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:860

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\wcsa.exe

Filesize
76KB

MD5
e8823301b458c7042eba61bcd86421fb

SHA1
ee4128ff943db3e3eb0c48251714ab62f3eb65fd

SHA256
7e653c7b0302a804f52676cbadf659c1f61c5e086e96e2f3c3533e2cb8922e4e

SHA512
cb831b30d6e33858e0ca739a26c7f24782fc393799b9c3967302b1c7fcba2fd0e57d5c04e0c24d493723a0551be3c531a80c10c2d043c17b455774b33366081b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\wcsa.exe

Filesize
76KB

MD5
e8823301b458c7042eba61bcd86421fb

SHA1
ee4128ff943db3e3eb0c48251714ab62f3eb65fd

SHA256
7e653c7b0302a804f52676cbadf659c1f61c5e086e96e2f3c3533e2cb8922e4e

SHA512
cb831b30d6e33858e0ca739a26c7f24782fc393799b9c3967302b1c7fcba2fd0e57d5c04e0c24d493723a0551be3c531a80c10c2d043c17b455774b33366081b

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
8eb4acab2e711254072acd129e4bc86a

SHA1
ae98cf37a2ea9fb55f3154fb8e0187ddd4e17d85

SHA256
b299fd0cb109bb79b8a90da2501f33a268acb0b10b60f0aaf0ed308818094347

SHA512
89f946c9529f74afba9ad52f49b6c24238411614a58b0b86be95b22d831e888e0c89a248f7a5d88857d8402a62a123e39a8c710813dfbd5decb287db5b9740d8

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\800bcc907e2266d853599475d89e2f18ee9ea5bdb5d5d58c4e1f16a2327e45e5.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\wcsa.exe

Filesize
76KB

MD5
e8823301b458c7042eba61bcd86421fb

SHA1
ee4128ff943db3e3eb0c48251714ab62f3eb65fd

SHA256
7e653c7b0302a804f52676cbadf659c1f61c5e086e96e2f3c3533e2cb8922e4e

SHA512
cb831b30d6e33858e0ca739a26c7f24782fc393799b9c3967302b1c7fcba2fd0e57d5c04e0c24d493723a0551be3c531a80c10c2d043c17b455774b33366081b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\wcsa.exe

Filesize
76KB

MD5
e8823301b458c7042eba61bcd86421fb

SHA1
ee4128ff943db3e3eb0c48251714ab62f3eb65fd

SHA256
7e653c7b0302a804f52676cbadf659c1f61c5e086e96e2f3c3533e2cb8922e4e

SHA512
cb831b30d6e33858e0ca739a26c7f24782fc393799b9c3967302b1c7fcba2fd0e57d5c04e0c24d493723a0551be3c531a80c10c2d043c17b455774b33366081b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
db8825d757834043a13733e2f9c6bcb4

SHA1
361163ea41630e241c3a4dc7d1bf2c3ff4e84e93

SHA256
257cacb1f9b1094a0c1a826c5f90f749d3a2238ed40edd995ad0ba95fb410582

SHA512
67b3f233c2d392909a41d525000a2eca48a4eec0c62cf0296c86699610345714882ec688c551e88cc90b0ca375e69db0d01fcf3fbb7b73f4149e623912698952

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/428-381-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/432-278-0x0000000000000000-mapping.dmp

Download
memory/512-304-0x0000000000000000-mapping.dmp

Download
memory/544-409-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/544-112-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/544-74-0x0000000000000000-mapping.dmp

Download
memory/584-415-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/584-416-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/584-340-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/584-341-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/584-314-0x0000000000000000-mapping.dmp

Download
memory/584-269-0x0000000000000000-mapping.dmp

Download
memory/628-173-0x0000000000000000-mapping.dmp

Download
memory/628-176-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/636-364-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/688-180-0x0000000000000000-mapping.dmp

Download
memory/688-265-0x0000000000000000-mapping.dmp

Download
memory/688-183-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/688-268-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/832-197-0x0000000000000000-mapping.dmp

Download
memory/848-273-0x0000000000000000-mapping.dmp

Download
memory/860-190-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/860-187-0x0000000000000000-mapping.dmp

Download
memory/876-191-0x0000000000000000-mapping.dmp

Download
memory/876-425-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/876-395-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/876-434-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/904-276-0x0000000000000000-mapping.dmp

Download
memory/940-204-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/940-443-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/940-200-0x0000000000000000-mapping.dmp

Download
memory/940-323-0x0000000000000000-mapping.dmp

Download
memory/940-342-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/960-109-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/996-224-0x0000000000000000-mapping.dmp

Download
memory/996-227-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1004-244-0x0000000000000000-mapping.dmp

Download
memory/1004-247-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1008-377-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1080-297-0x0000000000000000-mapping.dmp

Download
memory/1080-362-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1080-300-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1128-344-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1172-428-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1172-208-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1172-167-0x0000000000000000-mapping.dmp

Download
memory/1268-254-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1268-251-0x0000000000000000-mapping.dmp

Download
memory/1268-294-0x0000000000000000-mapping.dmp

Download
memory/1280-123-0x0000000000000000-mapping.dmp

Download
memory/1280-205-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1280-420-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1300-361-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1300-301-0x0000000000000000-mapping.dmp

Download
memory/1308-261-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1308-258-0x0000000000000000-mapping.dmp

Download
memory/1328-272-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1328-231-0x0000000000000000-mapping.dmp

Download
memory/1328-286-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1328-293-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1340-130-0x0000000000000000-mapping.dmp

Download
memory/1340-144-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1340-234-0x0000000000000000-mapping.dmp

Download
memory/1344-255-0x0000000000000000-mapping.dmp

Download
memory/1356-279-0x0000000000000000-mapping.dmp

Download
memory/1356-206-0x0000000000000000-mapping.dmp

Download
memory/1360-241-0x0000000000000000-mapping.dmp

Download
memory/1360-154-0x0000000000000000-mapping.dmp

Download
memory/1360-159-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1376-394-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1404-99-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1404-94-0x0000000000000000-mapping.dmp

Download
memory/1468-289-0x0000000000000000-mapping.dmp

Download
memory/1468-137-0x0000000000000000-mapping.dmp

Download
memory/1468-142-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1472-262-0x0000000000000000-mapping.dmp

Download
memory/1472-310-0x0000000000000000-mapping.dmp

Download
memory/1472-313-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1484-184-0x0000000000000000-mapping.dmp

Download
memory/1504-146-0x0000000000000000-mapping.dmp

Download
memory/1504-248-0x0000000000000000-mapping.dmp

Download
memory/1516-237-0x0000000000000000-mapping.dmp

Download
memory/1516-240-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1540-275-0x0000000000000000-mapping.dmp

Download
memory/1548-211-0x0000000000000000-mapping.dmp

Download
memory/1564-214-0x0000000000000000-mapping.dmp

Download
memory/1592-282-0x0000000000000000-mapping.dmp

Download
memory/1616-291-0x0000000000000000-mapping.dmp

Download
memory/1620-221-0x0000000000000000-mapping.dmp

Download
memory/1640-284-0x0000000000000000-mapping.dmp

Download
memory/1660-324-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1660-320-0x0000000000000000-mapping.dmp

Download
memory/1688-217-0x0000000000000000-mapping.dmp

Download
memory/1688-220-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1708-170-0x0000000000000000-mapping.dmp

Download
memory/1724-203-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1724-115-0x0000000000000000-mapping.dmp

Download
memory/1732-228-0x0000000000000000-mapping.dmp

Download
memory/1760-111-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1760-64-0x0000000000000000-mapping.dmp

Download
memory/1788-430-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1788-194-0x0000000000000000-mapping.dmp

Download
memory/1788-209-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1836-388-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1856-317-0x0000000000000000-mapping.dmp

Download
memory/1868-307-0x0000000000000000-mapping.dmp

Download
memory/1916-277-0x0000000000000000-mapping.dmp

Download
memory/1940-162-0x0000000000000000-mapping.dmp

Download
memory/1948-337-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-358-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1988-287-0x0000000000000000-mapping.dmp

Download
memory/1992-177-0x0000000000000000-mapping.dmp

Download
memory/2008-110-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2008-58-0x0000000000000000-mapping.dmp

Download
memory/2008-448-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-86-0x0000000000000000-mapping.dmp

Download
memory/2032-102-0x0000000000000000-mapping.dmp

Download