40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0

Analysis

max time kernel
213s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Size

205KB
MD5

2bd31abed54818b594289a940e420ebc
SHA1

640d1c9e01ed4feaa5e7e74e947400a3124e64a2
SHA256

40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0
SHA512

76e0b97e21d53bcab43a32ccac7dea677f7d5b096337aa986d1be039fb3688cbb8ff32201dbf6e713093c9efffd625cecf594fb8a75ef3caae8b7f47e7d95daf
SSDEEP

3072:nqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:nqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe

Modifies system executable filetype association 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	hizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hizw.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hizw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
4840	csrss.exe
3788	csrss.exe
3396	csrss.exe
5008	csrss.exe
1540	smss.exe
3984	smss.exe
1812	smss.exe
3160	hizw.exe
4168	smss.exe
3100	scag.exe
5096	lsass.exe
372	lsass.exe
4144	csrss.exe
1668	csrss.exe
1528	lsass.exe
4572	lsass.exe
912	csrss.exe
4896	csrss.exe
756	smss.exe
3824	smss.exe
1640	services.exe
2692	services.exe
2576	smss.exe
5092	lsass.exe
3020	lsass.exe
5088	smss.exe
4864	services.exe
3848	services.exe
4612	services.exe
4992	services.exe
4544	lsass.exe
3500	lsass.exe
4784	winlogon.exe
4788	winlogon.exe
388	csrss.exe
3624	csrss.exe
4164	winlogon.exe
4292	services.exe
3964	services.exe
1800	smss.exe
2072	smss.exe
4912	winlogon.exe
3556	winlogon.exe
4416	~Paraysutki_VM_Community~
2984	winlogon.exe
4396	winlogon.exe
5008	~Paraysutki_VM_Community~
2968	~Paraysutki_VM_Community~
3420	winlogon.exe
2380	~Paraysutki_VM_Community~
2632	lsass.exe
5056	csrss.exe
3080	lsass.exe
2856	csrss.exe
360	services.exe
5068	smss.exe
3568	services.exe
2040	smss.exe
4748	lsass.exe
2004	winlogon.exe
1392	winlogon.exe
4652	lsass.exe
3152	services.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	lsass.exe

Loads dropped DLL 64 IoCs

pid	Process
4840	csrss.exe
3788	csrss.exe
3396	csrss.exe
5008	csrss.exe
1540	smss.exe
3984	smss.exe
1812	smss.exe
4168	smss.exe
5096	lsass.exe
372	lsass.exe
4144	csrss.exe
1668	csrss.exe
1528	lsass.exe
4572	lsass.exe
912	csrss.exe
4896	csrss.exe
756	smss.exe
3824	smss.exe
1640	services.exe
2692	services.exe
2576	smss.exe
5092	lsass.exe
3020	lsass.exe
5088	smss.exe
4864	services.exe
3848	services.exe
4612	services.exe
4992	services.exe
4544	lsass.exe
3500	lsass.exe
4784	winlogon.exe
4788	winlogon.exe
388	csrss.exe
3624	csrss.exe
4164	winlogon.exe
4292	services.exe
3964	services.exe
1800	smss.exe
2072	smss.exe
4912	winlogon.exe
3556	winlogon.exe
4416	~Paraysutki_VM_Community~
2984	winlogon.exe
5008	~Paraysutki_VM_Community~
4396	winlogon.exe
2968	~Paraysutki_VM_Community~
3420	winlogon.exe
2632	lsass.exe
2380	~Paraysutki_VM_Community~
5056	csrss.exe
3080	lsass.exe
2856	csrss.exe
360	services.exe
5068	smss.exe
3568	services.exe
2040	smss.exe
4748	lsass.exe
2004	winlogon.exe
1392	winlogon.exe
4652	lsass.exe
3152	services.exe
2252	services.exe
1088	~Paraysutki_VM_Community~
2168	winlogon.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	hizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	hizw.exe
File opened (read-only)	\??\Y:	hizw.exe
File opened (read-only)	\??\Z:	hizw.exe
File opened (read-only)	\??\F:	hizw.exe
File opened (read-only)	\??\J:	hizw.exe
File opened (read-only)	\??\L:	hizw.exe
File opened (read-only)	\??\P:	hizw.exe
File opened (read-only)	\??\S:	hizw.exe
File opened (read-only)	\??\U:	hizw.exe
File opened (read-only)	\??\B:	hizw.exe
File opened (read-only)	\??\E:	hizw.exe
File opened (read-only)	\??\I:	hizw.exe
File opened (read-only)	\??\K:	hizw.exe
File opened (read-only)	\??\M:	hizw.exe
File opened (read-only)	\??\N:	hizw.exe
File opened (read-only)	\??\W:	hizw.exe
File opened (read-only)	\??\X:	hizw.exe
File opened (read-only)	\??\T:	hizw.exe
File opened (read-only)	\??\V:	hizw.exe
File opened (read-only)	\??\G:	hizw.exe
File opened (read-only)	\??\H:	hizw.exe
File opened (read-only)	\??\O:	hizw.exe
File opened (read-only)	\??\Q:	hizw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	scag.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	hizw.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	hizw.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	hizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	hizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	hizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	hizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	hizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	hizw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	hizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	hizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	hizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	hizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	hizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	hizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	hizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	hizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	hizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	hizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	hizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	hizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	hizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	hizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	hizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	hizw.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
1264	ping.exe
4164	ping.exe
1696	ping.exe
3636	ping.exe
4496	ping.exe
8	ping.exe
452	ping.exe
1564	ping.exe
4356	ping.exe
3980	ping.exe
1992	ping.exe
2584	ping.exe
4348	ping.exe
1932	ping.exe
4508	ping.exe
3648	ping.exe
2576	ping.exe
4788	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
4840	csrss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
1540	smss.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
1640	services.exe
1640	services.exe
1640	services.exe
1640	services.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2952	rundll32.exe
2760	rundll32.exe
4640	rundll32.exe
912	rundll32.exe
2564	rundll32.exe
2440	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5100	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
4840	csrss.exe
3788	csrss.exe
3396	csrss.exe
5008	csrss.exe
1540	smss.exe
3984	smss.exe
1812	smss.exe
3160	hizw.exe
4168	smss.exe
3100	scag.exe
5096	lsass.exe
372	lsass.exe
4144	csrss.exe
1668	csrss.exe
4572	lsass.exe
1528	lsass.exe
912	csrss.exe
4896	csrss.exe
756	smss.exe
3824	smss.exe
1640	services.exe
2692	services.exe
5092	lsass.exe
2576	smss.exe
3020	lsass.exe
5088	smss.exe
4864	services.exe
3848	services.exe
4612	services.exe
4992	services.exe
4544	lsass.exe
3500	lsass.exe
4784	winlogon.exe
4788	winlogon.exe
388	csrss.exe
3624	csrss.exe
4164	winlogon.exe
3964	services.exe
1800	smss.exe
2072	smss.exe
4912	winlogon.exe
3556	winlogon.exe
2984	winlogon.exe
4396	winlogon.exe
2968	~Paraysutki_VM_Community~
5008	~Paraysutki_VM_Community~
4416	~Paraysutki_VM_Community~
3420	winlogon.exe
2632	lsass.exe
2380	~Paraysutki_VM_Community~
5056	csrss.exe
3080	lsass.exe
2856	csrss.exe
360	services.exe
5068	smss.exe
3568	services.exe
2040	smss.exe
2004	winlogon.exe
4748	lsass.exe
4652	lsass.exe
1392	winlogon.exe
3152	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 3760	5100	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	83
PID 5100 wrote to memory of 3760	5100	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	83
PID 5100 wrote to memory of 3760	5100	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	83
PID 3760 wrote to memory of 4840	3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	84
PID 3760 wrote to memory of 4840	3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	84
PID 3760 wrote to memory of 4840	3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	84
PID 4840 wrote to memory of 3788	4840	csrss.exe	85
PID 4840 wrote to memory of 3788	4840	csrss.exe	85
PID 4840 wrote to memory of 3788	4840	csrss.exe	85
PID 3788 wrote to memory of 3396	3788	csrss.exe	86
PID 3788 wrote to memory of 3396	3788	csrss.exe	86
PID 3788 wrote to memory of 3396	3788	csrss.exe	86
PID 3396 wrote to memory of 5008	3396	csrss.exe	87
PID 3396 wrote to memory of 5008	3396	csrss.exe	87
PID 3396 wrote to memory of 5008	3396	csrss.exe	87
PID 3788 wrote to memory of 1540	3788	csrss.exe	88
PID 3788 wrote to memory of 1540	3788	csrss.exe	88
PID 3788 wrote to memory of 1540	3788	csrss.exe	88
PID 3760 wrote to memory of 3984	3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	89
PID 3760 wrote to memory of 3984	3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	89
PID 3760 wrote to memory of 3984	3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	89
PID 1540 wrote to memory of 1812	1540	smss.exe	90
PID 1540 wrote to memory of 1812	1540	smss.exe	90
PID 1540 wrote to memory of 1812	1540	smss.exe	90
PID 3396 wrote to memory of 3160	3396	csrss.exe	91
PID 3396 wrote to memory of 3160	3396	csrss.exe	91
PID 3396 wrote to memory of 3160	3396	csrss.exe	91
PID 3984 wrote to memory of 4168	3984	smss.exe	92
PID 3984 wrote to memory of 4168	3984	smss.exe	92
PID 3984 wrote to memory of 4168	3984	smss.exe	92
PID 4840 wrote to memory of 3100	4840	csrss.exe	93
PID 4840 wrote to memory of 3100	4840	csrss.exe	93
PID 4840 wrote to memory of 3100	4840	csrss.exe	93
PID 3760 wrote to memory of 5096	3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	94
PID 3760 wrote to memory of 5096	3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	94
PID 3760 wrote to memory of 5096	3760	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe	94
PID 3788 wrote to memory of 372	3788	csrss.exe	95
PID 3788 wrote to memory of 372	3788	csrss.exe	95
PID 3788 wrote to memory of 372	3788	csrss.exe	95
PID 1812 wrote to memory of 4144	1812	smss.exe	96
PID 1812 wrote to memory of 4144	1812	smss.exe	96
PID 1812 wrote to memory of 4144	1812	smss.exe	96
PID 4144 wrote to memory of 1668	4144	csrss.exe	97
PID 4144 wrote to memory of 1668	4144	csrss.exe	97
PID 4144 wrote to memory of 1668	4144	csrss.exe	97
PID 5096 wrote to memory of 1528	5096	lsass.exe	99
PID 5096 wrote to memory of 1528	5096	lsass.exe	99
PID 5096 wrote to memory of 1528	5096	lsass.exe	99
PID 372 wrote to memory of 4572	372	lsass.exe	98
PID 372 wrote to memory of 4572	372	lsass.exe	98
PID 372 wrote to memory of 4572	372	lsass.exe	98
PID 1528 wrote to memory of 912	1528	lsass.exe	100
PID 1528 wrote to memory of 912	1528	lsass.exe	100
PID 1528 wrote to memory of 912	1528	lsass.exe	100
PID 912 wrote to memory of 4896	912	csrss.exe	101
PID 912 wrote to memory of 4896	912	csrss.exe	101
PID 912 wrote to memory of 4896	912	csrss.exe	101
PID 1812 wrote to memory of 756	1812	smss.exe	102
PID 1812 wrote to memory of 756	1812	smss.exe	102
PID 1812 wrote to memory of 756	1812	smss.exe	102
PID 756 wrote to memory of 3824	756	smss.exe	103
PID 756 wrote to memory of 3824	756	smss.exe	103
PID 756 wrote to memory of 3824	756	smss.exe	103
PID 3788 wrote to memory of 1640	3788	csrss.exe	105

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
"C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
  C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3760
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3788
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3396
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5008
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\hizw.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\hizw.exe" csrss
        6⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3160
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1812
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4612
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4164
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4912
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5056
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5068
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4748
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4652
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3152
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        10⤵
        Loads dropped DLL
        
        PID:2252
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        9⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        10⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        9⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2440
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        9⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        9⤵
        Runs ping.exe
        
        PID:1264
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:4788
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        9⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:4164
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        9⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        9⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        9⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        9⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2564
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:3648
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1696
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:2584
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:372
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4572
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1640
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4864
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:388
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3568
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2760
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:676
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:8
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:452
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1564
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4784
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2984
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4416
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2952
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:1836
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:4496
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:1020
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:3108
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:4836
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:3980
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:4508
  - - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scag.exe
      "c:\Documents and Settings\Admin\Application Data\Microsoft\scag.exe" csrss
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:3100
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4168
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1528
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4896
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2576
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5088
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4544
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3500
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4292
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3964
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4396
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2380
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:912
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:4780
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:3720
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:4348
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:1932
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:1992
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2692
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3848
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4788
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3556
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2968
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4640
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1210
    3⤵
    - Runs ping.exe
    PID:4356
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:3636
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2576
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im wscript.exe
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im tati.exe
    3⤵
    PID:852
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im sys.exe
    3⤵
    PID:3308

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\40281f53223e993632d2893654c9969d2516e6458067a5548a1191ff394918c0.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\hizw.exe

Filesize
76KB

MD5
0cf4253bb840297376c9147f8722952a

SHA1
777cda68995f99ca178e34baa22505b4d7fdb357

SHA256
8afc1a81b374a598e728d763fc62192125a94c36a12b711a07c50f47dad78dda

SHA512
9377a1f38ad9ffb67cc754d19fe9f6dbc1821baa183c0e2aa54c1f058e09563b8443d5d8c81268686bd7233792c96b9e99fd0ef9ae8d0b3082d5ab9417d9d319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\scag.exe

Filesize
76KB

MD5
0cf4253bb840297376c9147f8722952a

SHA1
777cda68995f99ca178e34baa22505b4d7fdb357

SHA256
8afc1a81b374a598e728d763fc62192125a94c36a12b711a07c50f47dad78dda

SHA512
9377a1f38ad9ffb67cc754d19fe9f6dbc1821baa183c0e2aa54c1f058e09563b8443d5d8c81268686bd7233792c96b9e99fd0ef9ae8d0b3082d5ab9417d9d319

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
ab0a1a28119eaf5632699b7e82026719

SHA1
dea342072748f8d23bdaa8a36768c6382c211619

SHA256
bbc2c1518e9431aed55f04d6305bcb3fc92686349eac0cfa3cfc961d2955dc94

SHA512
1bed2ffc904f00ce13e7da15cdfbe54c3291c5782e4fad3bdfc504589112dcf72417aaf860d82d05acde60eb1f8db4a5360ffc01b115f1678802c106da599892

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\hizw.exe

Filesize
76KB

MD5
0cf4253bb840297376c9147f8722952a

SHA1
777cda68995f99ca178e34baa22505b4d7fdb357

SHA256
8afc1a81b374a598e728d763fc62192125a94c36a12b711a07c50f47dad78dda

SHA512
9377a1f38ad9ffb67cc754d19fe9f6dbc1821baa183c0e2aa54c1f058e09563b8443d5d8c81268686bd7233792c96b9e99fd0ef9ae8d0b3082d5ab9417d9d319

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scag.exe

Filesize
76KB

MD5
0cf4253bb840297376c9147f8722952a

SHA1
777cda68995f99ca178e34baa22505b4d7fdb357

SHA256
8afc1a81b374a598e728d763fc62192125a94c36a12b711a07c50f47dad78dda

SHA512
9377a1f38ad9ffb67cc754d19fe9f6dbc1821baa183c0e2aa54c1f058e09563b8443d5d8c81268686bd7233792c96b9e99fd0ef9ae8d0b3082d5ab9417d9d319

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
0cf4253bb840297376c9147f8722952a

SHA1
777cda68995f99ca178e34baa22505b4d7fdb357

SHA256
8afc1a81b374a598e728d763fc62192125a94c36a12b711a07c50f47dad78dda

SHA512
9377a1f38ad9ffb67cc754d19fe9f6dbc1821baa183c0e2aa54c1f058e09563b8443d5d8c81268686bd7233792c96b9e99fd0ef9ae8d0b3082d5ab9417d9d319

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/1392-433-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1392-443-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1528-459-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1528-296-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1528-249-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-263-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-234-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-210-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-456-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2040-418-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2040-423-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2072-349-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2072-383-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2252-444-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2252-442-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2504-452-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2504-451-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2856-400-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2856-405-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2984-377-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2984-388-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3020-294-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3020-304-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3080-407-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3080-399-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3420-378-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3420-385-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3500-359-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3500-326-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3556-401-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3556-380-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3568-421-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3568-417-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-367-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-333-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3760-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3760-172-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3760-455-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3788-457-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3788-170-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3824-282-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3848-323-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3964-361-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3964-341-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4168-211-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4168-248-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-250-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-266-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4652-436-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4652-434-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4864-301-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4864-458-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4864-334-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4896-267-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4912-402-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4912-460-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4912-379-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4992-342-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4992-311-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5008-171-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5008-174-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5088-295-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5088-314-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download