40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0

Analysis

max time kernel
88s
max time network
190s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Size

205KB
MD5

2bd31abed54818b594289a940e420ebc
SHA1

640d1c9e01ed4feaa5e7e74e947400a3124e64a2
SHA256

40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0
SHA512

76e0b97e21d53bcab43a32ccac7dea677f7d5b096337aa986d1be039fb3688cbb8ff32201dbf6e713093c9efffd625cecf594fb8a75ef3caae8b7f47e7d95daf
SSDEEP

3072:nqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:nqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	scwt.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	scwt.exe

Executes dropped EXE 48 IoCs

pid	Process
1144	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
1672	csrss.exe
576	csrss.exe
1584	csrss.exe
1568	csrss.exe
1752	scwt.exe
836	smss.exe
1940	smss.exe
2012	csrss.exe
1072	csrss.exe
112	smss.exe
1968	smss.exe
1176	lsass.exe
1168	lsass.exe
1216	csrss.exe
1496	csrss.exe
636	smss.exe
1716	smss.exe
1400	lsass.exe
748	lsass.exe
1488	services.exe
284	services.exe
1848	csrss.exe
1380	csrss.exe
1004	smss.exe
828	lsass.exe
1852	services.exe
852	smss.exe
1980	lsass.exe
1720	winlogon.exe
1704	winlogon.exe
980	services.exe
1420	lsass.exe
1684	lsass.exe
1968	lsass.exe
1372	lsass.exe
1620	services.exe
268	smss.exe
768	smss.exe
1640	winlogon.exe
1480	services.exe
1996	csrss.exe
1796	winlogon.exe
868	services.exe
1656	~Paraysutki_VM_Community~
452	~Paraysutki_VM_Community~
1380	csrss.exe
1772	rundll32.exe

Loads dropped DLL 64 IoCs

pid	Process
2028	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
2028	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
1144	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
1144	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
576	csrss.exe
576	csrss.exe
576	csrss.exe
1584	csrss.exe
1584	csrss.exe
1568	csrss.exe
1584	csrss.exe
1584	csrss.exe
576	csrss.exe
576	csrss.exe
836	smss.exe
836	smss.exe
836	smss.exe
1940	smss.exe
1940	smss.exe
1940	smss.exe
2012	csrss.exe
2012	csrss.exe
1072	csrss.exe
1940	smss.exe
1940	smss.exe
112	smss.exe
112	smss.exe
1968	smss.exe
1940	smss.exe
1940	smss.exe
1176	lsass.exe
1176	lsass.exe
1176	lsass.exe
1168	lsass.exe
1168	lsass.exe
1168	lsass.exe
1216	csrss.exe
1216	csrss.exe
1496	csrss.exe
1168	lsass.exe
1168	lsass.exe
636	smss.exe
636	smss.exe
1716	smss.exe
1168	lsass.exe
1168	lsass.exe
1400	lsass.exe
1400	lsass.exe
748	lsass.exe
1168	lsass.exe
1168	lsass.exe
1488	services.exe
1488	services.exe
1488	services.exe
284	services.exe
284	services.exe
284	services.exe
1848	csrss.exe
1848	csrss.exe
1380	csrss.exe
1144	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	scwt.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	scwt.exe
File opened (read-only)	\??\O:	scwt.exe
File opened (read-only)	\??\R:	scwt.exe
File opened (read-only)	\??\U:	scwt.exe
File opened (read-only)	\??\W:	scwt.exe
File opened (read-only)	\??\B:	scwt.exe
File opened (read-only)	\??\I:	scwt.exe
File opened (read-only)	\??\M:	scwt.exe
File opened (read-only)	\??\S:	scwt.exe
File opened (read-only)	\??\T:	scwt.exe
File opened (read-only)	\??\V:	scwt.exe
File opened (read-only)	\??\X:	scwt.exe
File opened (read-only)	\??\E:	scwt.exe
File opened (read-only)	\??\G:	scwt.exe
File opened (read-only)	\??\H:	scwt.exe
File opened (read-only)	\??\Q:	scwt.exe
File opened (read-only)	\??\Z:	scwt.exe
File opened (read-only)	\??\F:	scwt.exe
File opened (read-only)	\??\J:	scwt.exe
File opened (read-only)	\??\P:	scwt.exe
File opened (read-only)	\??\K:	scwt.exe
File opened (read-only)	\??\L:	scwt.exe
File opened (read-only)	\??\Y:	scwt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Process not Found
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	scwt.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	scwt.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	scwt.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	scwt.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	scwt.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	scwt.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	scwt.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	scwt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	scwt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	scwt.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1924	ping.exe
1060	ping.exe
1848	ping.exe
948	ping.exe
468	ping.exe
580	ping.exe
1632	ping.exe
1416	ping.exe
1248	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
836	smss.exe
1176	lsass.exe
1176	lsass.exe
1176	lsass.exe
1176	lsass.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
2028	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
1144	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
1672	csrss.exe
576	csrss.exe
1584	csrss.exe
1568	csrss.exe
1752	scwt.exe
836	smss.exe
1940	smss.exe
2012	csrss.exe
1072	csrss.exe
112	smss.exe
1968	smss.exe
1176	lsass.exe
1168	lsass.exe
1216	csrss.exe
1496	csrss.exe
636	smss.exe
1716	smss.exe
1400	lsass.exe
748	lsass.exe
1488	services.exe
284	services.exe
1848	csrss.exe
1380	csrss.exe
828	lsass.exe
1852	services.exe
1684	lsass.exe
1420	lsass.exe
980	services.exe
1704	winlogon.exe
1004	smss.exe
852	smss.exe
1968	lsass.exe
1620	services.exe
1372	lsass.exe
1980	lsass.exe
268	smss.exe
768	smss.exe
1640	winlogon.exe
1996	Process not Found
868	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1144	2028	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	28
PID 2028 wrote to memory of 1144	2028	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	28
PID 2028 wrote to memory of 1144	2028	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	28
PID 2028 wrote to memory of 1144	2028	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	28
PID 1144 wrote to memory of 1672	1144	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	29
PID 1144 wrote to memory of 1672	1144	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	29
PID 1144 wrote to memory of 1672	1144	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	29
PID 1144 wrote to memory of 1672	1144	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	29
PID 1672 wrote to memory of 576	1672	csrss.exe	30
PID 1672 wrote to memory of 576	1672	csrss.exe	30
PID 1672 wrote to memory of 576	1672	csrss.exe	30
PID 1672 wrote to memory of 576	1672	csrss.exe	30
PID 576 wrote to memory of 1584	576	csrss.exe	31
PID 576 wrote to memory of 1584	576	csrss.exe	31
PID 576 wrote to memory of 1584	576	csrss.exe	31
PID 576 wrote to memory of 1584	576	csrss.exe	31
PID 1584 wrote to memory of 1568	1584	csrss.exe	32
PID 1584 wrote to memory of 1568	1584	csrss.exe	32
PID 1584 wrote to memory of 1568	1584	csrss.exe	32
PID 1584 wrote to memory of 1568	1584	csrss.exe	32
PID 1584 wrote to memory of 1752	1584	csrss.exe	33
PID 1584 wrote to memory of 1752	1584	csrss.exe	33
PID 1584 wrote to memory of 1752	1584	csrss.exe	33
PID 1584 wrote to memory of 1752	1584	csrss.exe	33
PID 576 wrote to memory of 836	576	csrss.exe	34
PID 576 wrote to memory of 836	576	csrss.exe	34
PID 576 wrote to memory of 836	576	csrss.exe	34
PID 576 wrote to memory of 836	576	csrss.exe	34
PID 836 wrote to memory of 1940	836	smss.exe	35
PID 836 wrote to memory of 1940	836	smss.exe	35
PID 836 wrote to memory of 1940	836	smss.exe	35
PID 836 wrote to memory of 1940	836	smss.exe	35
PID 1940 wrote to memory of 2012	1940	smss.exe	36
PID 1940 wrote to memory of 2012	1940	smss.exe	36
PID 1940 wrote to memory of 2012	1940	smss.exe	36
PID 1940 wrote to memory of 2012	1940	smss.exe	36
PID 2012 wrote to memory of 1072	2012	csrss.exe	37
PID 2012 wrote to memory of 1072	2012	csrss.exe	37
PID 2012 wrote to memory of 1072	2012	csrss.exe	37
PID 2012 wrote to memory of 1072	2012	csrss.exe	37
PID 1940 wrote to memory of 112	1940	smss.exe	38
PID 1940 wrote to memory of 112	1940	smss.exe	38
PID 1940 wrote to memory of 112	1940	smss.exe	38
PID 1940 wrote to memory of 112	1940	smss.exe	38
PID 112 wrote to memory of 1968	112	smss.exe	39
PID 112 wrote to memory of 1968	112	smss.exe	39
PID 112 wrote to memory of 1968	112	smss.exe	39
PID 112 wrote to memory of 1968	112	smss.exe	39
PID 1940 wrote to memory of 1176	1940	smss.exe	40
PID 1940 wrote to memory of 1176	1940	smss.exe	40
PID 1940 wrote to memory of 1176	1940	smss.exe	40
PID 1940 wrote to memory of 1176	1940	smss.exe	40
PID 1176 wrote to memory of 1168	1176	lsass.exe	41
PID 1176 wrote to memory of 1168	1176	lsass.exe	41
PID 1176 wrote to memory of 1168	1176	lsass.exe	41
PID 1176 wrote to memory of 1168	1176	lsass.exe	41
PID 1168 wrote to memory of 1216	1168	lsass.exe	42
PID 1168 wrote to memory of 1216	1168	lsass.exe	42
PID 1168 wrote to memory of 1216	1168	lsass.exe	42
PID 1168 wrote to memory of 1216	1168	lsass.exe	42
PID 1216 wrote to memory of 1496	1216	csrss.exe	43
PID 1216 wrote to memory of 1496	1216	csrss.exe	43
PID 1216 wrote to memory of 1496	1216	csrss.exe	43
PID 1216 wrote to memory of 1496	1216	csrss.exe	43

C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
"C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
  C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:576
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1568
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scwt.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\scwt.exe" csrss
        6⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1752
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:284
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        11⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        12⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        11⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        12⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        11⤵
        
        PID:468
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        
        PID:432
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        11⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        11⤵
        Runs ping.exe
        
        PID:948
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:468
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:580
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        11⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        11⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        11⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        11⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        9⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        9⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:1416
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:1060
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        9⤵
        Runs ping.exe
        
        PID:1848
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        9⤵
        
        PID:948
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        9⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        9⤵
        
        PID:580
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        9⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        9⤵
        
        PID:948
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        9⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        
        PID:872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        
        PID:672
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        9⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        10⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        9⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:316
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1632
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1248
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:1924
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:580
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:2352
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:828
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:980
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        
        PID:1796
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        
        PID:532
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1004
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:768
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1420
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1968
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Executes dropped EXE
    PID:1480
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      PID:584
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    PID:1772
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      PID:1568
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\scwt.exe

Filesize
76KB

MD5
72fb264f4e43220ceeba73e44e2b9efe

SHA1
ac300ba806a40f54efb261553090ab991e43e036

SHA256
7d056f5e141f6a23b465a9509c122f34c922a38f7f976b4d3a0efaf2e268baed

SHA512
513d7d46dc9ec14020a7a1666a529719793efaabe97d8a42f711c9c1eba81c63f38d501057f801f8120ac15583d6849f572920b254f488da74de6f5b80bfb35e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scwt.exe

Filesize
76KB

MD5
72fb264f4e43220ceeba73e44e2b9efe

SHA1
ac300ba806a40f54efb261553090ab991e43e036

SHA256
7d056f5e141f6a23b465a9509c122f34c922a38f7f976b4d3a0efaf2e268baed

SHA512
513d7d46dc9ec14020a7a1666a529719793efaabe97d8a42f711c9c1eba81c63f38d501057f801f8120ac15583d6849f572920b254f488da74de6f5b80bfb35e

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\scwt.exe

Filesize
76KB

MD5
72fb264f4e43220ceeba73e44e2b9efe

SHA1
ac300ba806a40f54efb261553090ab991e43e036

SHA256
7d056f5e141f6a23b465a9509c122f34c922a38f7f976b4d3a0efaf2e268baed

SHA512
513d7d46dc9ec14020a7a1666a529719793efaabe97d8a42f711c9c1eba81c63f38d501057f801f8120ac15583d6849f572920b254f488da74de6f5b80bfb35e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\scwt.exe

Filesize
76KB

MD5
72fb264f4e43220ceeba73e44e2b9efe

SHA1
ac300ba806a40f54efb261553090ab991e43e036

SHA256
7d056f5e141f6a23b465a9509c122f34c922a38f7f976b4d3a0efaf2e268baed

SHA512
513d7d46dc9ec14020a7a1666a529719793efaabe97d8a42f711c9c1eba81c63f38d501057f801f8120ac15583d6849f572920b254f488da74de6f5b80bfb35e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
b46718b78a405debb301e0313c979b09

SHA1
7a7c4861c7ac5ecfaa8551dd9088d52eee6ee38f

SHA256
265daf919d8ed1723b6fe62092d50e398b4f36dbaa4da7e3d0c1aa7bf51a3501

SHA512
0149eaaf092b4fd610decd4d327ed12b3f831144c77a4202d19370fa407aac98e8d2b1aea50e3380d98e6f2e52b9d365e392f499376b0839ec2aa73885eaccd7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/268-289-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/284-210-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/284-387-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-113-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/584-376-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/636-188-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/672-373-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/748-195-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/768-297-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/828-262-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/836-217-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/836-175-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/836-173-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/852-295-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/852-258-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/868-303-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/868-322-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1004-296-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1004-261-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1072-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1144-111-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1168-301-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1168-370-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1168-177-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1372-260-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1380-208-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1380-320-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1420-244-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/1488-209-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1496-180-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1568-99-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-245-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-291-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1640-276-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1672-112-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/1684-285-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1684-243-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1692-323-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1704-274-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/1704-309-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/1704-308-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/1716-187-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1724-378-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1940-176-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1940-389-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-159-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-259-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-272-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1980-263-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1980-221-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2028-215-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2028-109-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2028-110-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2028-216-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2036-371-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/2036-382-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download