b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e

Analysis

max time kernel
154s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Size

205KB
MD5

ccc82b1ee2cb94ef4772c9bae5e5a11b
SHA1

37dceddb90196ca9b4b8320aa8f20eb398bf0c2f
SHA256

b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e
SHA512

cf16c1208b41f858d69764076d7c5e5dc78e8875d7737adde936e7b1c348dced744b9d6ca9604289310eebed0cbeded9c13033680bef9ae61edde3d854bcfe84
SSDEEP

3072:VqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:VqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	schg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	schg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	schg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
1960	csrss.exe
4692	csrss.exe
2388	csrss.exe
2080	csrss.exe
4876	smss.exe
3412	smss.exe
4992	smss.exe
4084	schg.exe
364	smss.exe
1860	csrss.exe
3600	csrss.exe
5092	smss.exe
700	lsass.exe
3624	smss.exe
1656	lsass.exe
4400	lsass.exe
3172	lsass.exe
924	csrss.exe
904	csrss.exe
3660	lsass.exe
1480	lsass.exe
1348	services.exe
716	smss.exe
2068	services.exe
2924	services.exe
2312	smss.exe
3120	csrss.exe
3800	services.exe
2780	csrss.exe
4488	winlogon.exe
1364	lsass.exe
4596	services.exe
4952	winlogon.exe
4344	smss.exe
3936	lsass.exe
2836	services.exe
2308	csrss.exe
1028	smss.exe
3504	csrss.exe
1624	services.exe
5060	services.exe
1088	winlogon.exe
2340	lsass.exe
3388	winlogon.exe
3460	winlogon.exe
1012	smss.exe
3148	lsass.exe
2968	winlogon.exe
3256	~Paraysutki_VM_Community~
2644	services.exe
4604	smss.exe
3604	services.exe
2496	~Paraysutki_VM_Community~
4332	lsass.exe
2084	winlogon.exe
1592	lsass.exe
4908	winlogon.exe
3624	services.exe
3056	rundll32.exe
4476	rundll32.exe
972	winlogon.exe
4272	winlogon.exe
1964	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	winlogon.exe

Loads dropped DLL 64 IoCs

pid	Process
1960	csrss.exe
4692	csrss.exe
2388	csrss.exe
2080	csrss.exe
4876	smss.exe
3412	smss.exe
4992	smss.exe
364	smss.exe
1860	csrss.exe
3600	csrss.exe
5092	smss.exe
700	lsass.exe
3624	smss.exe
1656	lsass.exe
4400	lsass.exe
924	csrss.exe
3172	lsass.exe
904	csrss.exe
3660	lsass.exe
1480	lsass.exe
1348	services.exe
716	smss.exe
2068	services.exe
2924	services.exe
2312	smss.exe
3120	csrss.exe
3800	services.exe
2780	csrss.exe
4488	winlogon.exe
1364	lsass.exe
4596	services.exe
4952	winlogon.exe
4344	smss.exe
3936	lsass.exe
2836	services.exe
2308	csrss.exe
1028	smss.exe
3504	csrss.exe
1624	services.exe
5060	services.exe
1088	winlogon.exe
2340	lsass.exe
3388	winlogon.exe
3460	winlogon.exe
1012	smss.exe
3148	lsass.exe
2968	winlogon.exe
3256	~Paraysutki_VM_Community~
2644	services.exe
4604	smss.exe
3604	services.exe
2496	~Paraysutki_VM_Community~
4332	lsass.exe
2084	winlogon.exe
1592	lsass.exe
4908	winlogon.exe
3624	services.exe
3056	rundll32.exe
4476	rundll32.exe
972	winlogon.exe
4272	winlogon.exe
1964	winlogon.exe
2544	winlogon.exe
1084	~Paraysutki_VM_Community~

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops desktop.ini file(s) 39 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	rundll32.exe
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	schg.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File created	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	schg.exe
File opened (read-only)	\??\J:	schg.exe
File opened (read-only)	\??\Q:	schg.exe
File opened (read-only)	\??\S:	schg.exe
File opened (read-only)	\??\T:	schg.exe
File opened (read-only)	\??\Y:	schg.exe
File opened (read-only)	\??\E:	schg.exe
File opened (read-only)	\??\I:	schg.exe
File opened (read-only)	\??\N:	schg.exe
File opened (read-only)	\??\O:	schg.exe
File opened (read-only)	\??\V:	schg.exe
File opened (read-only)	\??\G:	schg.exe
File opened (read-only)	\??\H:	schg.exe
File opened (read-only)	\??\L:	schg.exe
File opened (read-only)	\??\P:	schg.exe
File opened (read-only)	\??\U:	schg.exe
File opened (read-only)	\??\W:	schg.exe
File opened (read-only)	\??\X:	schg.exe
File opened (read-only)	\??\B:	schg.exe
File opened (read-only)	\??\K:	schg.exe
File opened (read-only)	\??\M:	schg.exe
File opened (read-only)	\??\R:	schg.exe
File opened (read-only)	\??\Z:	schg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	rundll32.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	csrss.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	schg.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	schg.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	schg.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe

Sets desktop wallpaper using registry 2 TTPs 38 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	~Paraysutki_VM_Community~
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	schg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	~Paraysutki_VM_Community~
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	~Paraysutki_VM_Community~
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	~Paraysutki_VM_Community~
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	~Paraysutki_VM_Community~

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	schg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	schg.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	schg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	schg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	schg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	schg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	schg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	schg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	schg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	schg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	schg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	schg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	schg.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	schg.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	schg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	schg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	schg.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	schg.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	rundll32.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	~Paraysutki_VM_Community~
File created	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	winlogon.exe
File opened for modification	\??\c:\windows\Desktop.ini	schg.exe
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	lsass.exe
File opened for modification	\??\c:\windows\Desktop.ini	services.exe
File opened for modification	\??\c:\windows\Desktop.ini	csrss.exe
File opened for modification	\??\c:\windows\Desktop.ini	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	schg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	schg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	schg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	schg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	schg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	schg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	schg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	schg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	schg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	schg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	schg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	schg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	schg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	schg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	schg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	schg.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
1500	ping.exe
8	ping.exe
628	ping.exe
2556	ping.exe
2124	ping.exe
308	ping.exe
1128	ping.exe
2656	ping.exe
4228	ping.exe
2120	ping.exe
1088	ping.exe
4728	ping.exe
3384	ping.exe
228	ping.exe
2092	ping.exe
4316	ping.exe
3648	ping.exe
3480	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
1960	csrss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
4876	smss.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe
700	lsass.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4076	rundll32.exe
984	rundll32.exe
3340	rundll32.exe
1624	rundll32.exe
2284	rundll32.exe
2584	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
60	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
1960	csrss.exe
4692	csrss.exe
2388	csrss.exe
2080	csrss.exe
4876	smss.exe
3412	smss.exe
4992	smss.exe
4084	schg.exe
364	smss.exe
1860	csrss.exe
3600	csrss.exe
5092	smss.exe
700	lsass.exe
3624	smss.exe
1656	lsass.exe
4400	lsass.exe
924	csrss.exe
3172	lsass.exe
904	csrss.exe
3660	lsass.exe
1480	lsass.exe
1348	services.exe
716	smss.exe
2068	services.exe
2924	services.exe
2312	smss.exe
3800	services.exe
3120	csrss.exe
2780	csrss.exe
4488	winlogon.exe
1364	lsass.exe
4952	winlogon.exe
4596	services.exe
4344	smss.exe
3936	lsass.exe
2836	services.exe
2308	csrss.exe
1028	smss.exe
1624	services.exe
3504	csrss.exe
5060	services.exe
1088	winlogon.exe
2340	lsass.exe
3388	winlogon.exe
3460	winlogon.exe
3148	lsass.exe
1012	smss.exe
2968	winlogon.exe
3256	~Paraysutki_VM_Community~
2644	services.exe
4604	smss.exe
3604	services.exe
2496	~Paraysutki_VM_Community~
4332	lsass.exe
2084	winlogon.exe
1592	lsass.exe
4908	winlogon.exe
3624	services.exe
3056	rundll32.exe
4476	rundll32.exe
972	winlogon.exe
4272	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4532	60	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	79
PID 60 wrote to memory of 4532	60	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	79
PID 60 wrote to memory of 4532	60	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	79
PID 4532 wrote to memory of 1960	4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	80
PID 4532 wrote to memory of 1960	4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	80
PID 4532 wrote to memory of 1960	4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	80
PID 1960 wrote to memory of 4692	1960	csrss.exe	81
PID 1960 wrote to memory of 4692	1960	csrss.exe	81
PID 1960 wrote to memory of 4692	1960	csrss.exe	81
PID 4692 wrote to memory of 2388	4692	csrss.exe	82
PID 4692 wrote to memory of 2388	4692	csrss.exe	82
PID 4692 wrote to memory of 2388	4692	csrss.exe	82
PID 2388 wrote to memory of 2080	2388	csrss.exe	83
PID 2388 wrote to memory of 2080	2388	csrss.exe	83
PID 2388 wrote to memory of 2080	2388	csrss.exe	83
PID 4692 wrote to memory of 4876	4692	csrss.exe	84
PID 4692 wrote to memory of 4876	4692	csrss.exe	84
PID 4692 wrote to memory of 4876	4692	csrss.exe	84
PID 4532 wrote to memory of 3412	4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	86
PID 4532 wrote to memory of 3412	4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	86
PID 4532 wrote to memory of 3412	4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	86
PID 4876 wrote to memory of 4992	4876	smss.exe	85
PID 4876 wrote to memory of 4992	4876	smss.exe	85
PID 4876 wrote to memory of 4992	4876	smss.exe	85
PID 2388 wrote to memory of 4084	2388	csrss.exe	92
PID 2388 wrote to memory of 4084	2388	csrss.exe	92
PID 2388 wrote to memory of 4084	2388	csrss.exe	92
PID 3412 wrote to memory of 364	3412	smss.exe	87
PID 3412 wrote to memory of 364	3412	smss.exe	87
PID 3412 wrote to memory of 364	3412	smss.exe	87
PID 4992 wrote to memory of 1860	4992	smss.exe	88
PID 4992 wrote to memory of 1860	4992	smss.exe	88
PID 4992 wrote to memory of 1860	4992	smss.exe	88
PID 1860 wrote to memory of 3600	1860	csrss.exe	89
PID 1860 wrote to memory of 3600	1860	csrss.exe	89
PID 1860 wrote to memory of 3600	1860	csrss.exe	89
PID 4992 wrote to memory of 5092	4992	smss.exe	90
PID 4992 wrote to memory of 5092	4992	smss.exe	90
PID 4992 wrote to memory of 5092	4992	smss.exe	90
PID 4532 wrote to memory of 700	4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	91
PID 4532 wrote to memory of 700	4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	91
PID 4532 wrote to memory of 700	4532	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe	91
PID 5092 wrote to memory of 3624	5092	smss.exe	93
PID 5092 wrote to memory of 3624	5092	smss.exe	93
PID 5092 wrote to memory of 3624	5092	smss.exe	93
PID 700 wrote to memory of 1656	700	lsass.exe	94
PID 700 wrote to memory of 1656	700	lsass.exe	94
PID 700 wrote to memory of 1656	700	lsass.exe	94
PID 4992 wrote to memory of 4400	4992	smss.exe	95
PID 4992 wrote to memory of 4400	4992	smss.exe	95
PID 4992 wrote to memory of 4400	4992	smss.exe	95
PID 4400 wrote to memory of 3172	4400	lsass.exe	97
PID 4400 wrote to memory of 3172	4400	lsass.exe	97
PID 4400 wrote to memory of 3172	4400	lsass.exe	97
PID 1656 wrote to memory of 924	1656	lsass.exe	96
PID 1656 wrote to memory of 924	1656	lsass.exe	96
PID 1656 wrote to memory of 924	1656	lsass.exe	96
PID 924 wrote to memory of 904	924	csrss.exe	98
PID 924 wrote to memory of 904	924	csrss.exe	98
PID 924 wrote to memory of 904	924	csrss.exe	98
PID 4692 wrote to memory of 3660	4692	csrss.exe	99
PID 4692 wrote to memory of 3660	4692	csrss.exe	99
PID 4692 wrote to memory of 3660	4692	csrss.exe	99
PID 3660 wrote to memory of 1480	3660	lsass.exe	101

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

C:\Users\Admin\AppData\Local\Temp\b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
"C:\Users\Admin\AppData\Local\Temp\b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Local\Temp\b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
  C:\Users\Admin\AppData\Local\Temp\b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4532
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4692
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2080
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\schg.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\schg.exe" csrss
        6⤵
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Drops desktop.ini file(s)
        Enumerates connected drives
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4084
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4992
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3172
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2068
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3120
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3148
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        9⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3340
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        9⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        9⤵
        Runs ping.exe
        
        PID:3648
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2656
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:1500
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        9⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        9⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        9⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        9⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        9⤵
        
        PID:976
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        
        PID:1964
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        Loads dropped DLL
        
        PID:2544
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        
        PID:2880
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2284
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:2124
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:308
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:228
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4476
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:3936
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1480
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2924
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3800
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4488
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies system executable filetype association
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Sets file execution options in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4952
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3504
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        8⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        7⤵
        Loads dropped DLL
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        
        PID:1084
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1624
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        7⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        7⤵
        Runs ping.exe
        
        PID:4228
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:2120
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1088
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        7⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        7⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        7⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        7⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        7⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        
        PID:1292
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2584
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:3776
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:2556
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:4728
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:3384
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:2316
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:4208
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:2260
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:364
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1656
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:924
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:904
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:716
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1364
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3936
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1624
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5060
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3388
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2968
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2496
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:984
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:1128
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:4316
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1210
        5⤵
        Runs ping.exe
        
        PID:8
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
        5⤵
        
        PID:2124
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
        5⤵
        
        PID:224
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
        5⤵
        
        PID:3804
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im tati.exe
        5⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im wscript.exe
        5⤵
        
        PID:3328
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe taskkill /f /im sys.exe
        5⤵
        
        PID:3140
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4596
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2836
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1088
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3460
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3256
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4076
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:3480
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:628
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1210
    3⤵
    - Runs ping.exe
    PID:2092
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
    3⤵
    PID:308
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:224
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im tati.exe
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im sys.exe
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe taskkill /f /im wscript.exe
    3⤵
    PID:3808

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b130b38339a2f2a0c5e0882de2a32f78501a356dc839028ce214474b1615854e.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\schg.exe

Filesize
76KB

MD5
f53bc85abe830265d41529b772190c3b

SHA1
80c744171979271940ee6c5c39ff8aa6aef56486

SHA256
0c078dda58fab433ecf7ccef934d502c8c30a1635fcad4111e2447e26d0b89af

SHA512
65d3197358070c245a3ea274d0905b24d48fa870991bb396b9a1462d227365dc4db7f3df79848020a111cf94d96c6e5c49a64ba23776f322002c48b4c57ff06e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
a137a826e061cdc723c8412b984c6420

SHA1
f847b38d7b940ea29a388b6d86c6f81e339fcebb

SHA256
ae5374cc1d69583a6c089c4cfadadae234a130c1d59eeb25061617d3d0c45ca8

SHA512
2b4b8f9c51bd99fe6070d5c793a09044066e44e31ad3cf2598bc046ad5cb81e3fad61c471bcccaeb3fa8b9d23825ca6cb219575cc5b94866aed36bdf76e2c452

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\NIMDA ANGEL.bmp

Filesize
1.4MB

MD5
1cc3975b7593491cd7c205611698be34

SHA1
f888b74316f74e1fe94aae0f42baf18bc28111d4

SHA256
c5a7077eb7d6f374e41caf524db6e54bb7608edb2307152926c5ed1bdc1574af

SHA512
da2e80528b3ce2325c6538b3cd973cc2c87bb51aecef18702c21d609409b4d2730bac511babb383b5dac98154b5838a245465134ceb6061118b9f62dcf055bcb

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\NIMDA ANGEL.bmp

Filesize
1.4MB

MD5
1cc3975b7593491cd7c205611698be34

SHA1
f888b74316f74e1fe94aae0f42baf18bc28111d4

SHA256
c5a7077eb7d6f374e41caf524db6e54bb7608edb2307152926c5ed1bdc1574af

SHA512
da2e80528b3ce2325c6538b3cd973cc2c87bb51aecef18702c21d609409b4d2730bac511babb383b5dac98154b5838a245465134ceb6061118b9f62dcf055bcb

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\NIMDA ANGEL.bmp

Filesize
1.4MB

MD5
1cc3975b7593491cd7c205611698be34

SHA1
f888b74316f74e1fe94aae0f42baf18bc28111d4

SHA256
c5a7077eb7d6f374e41caf524db6e54bb7608edb2307152926c5ed1bdc1574af

SHA512
da2e80528b3ce2325c6538b3cd973cc2c87bb51aecef18702c21d609409b4d2730bac511babb383b5dac98154b5838a245465134ceb6061118b9f62dcf055bcb

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\NIMDA ANGEL.bmp

Filesize
1.4MB

MD5
1cc3975b7593491cd7c205611698be34

SHA1
f888b74316f74e1fe94aae0f42baf18bc28111d4

SHA256
c5a7077eb7d6f374e41caf524db6e54bb7608edb2307152926c5ed1bdc1574af

SHA512
da2e80528b3ce2325c6538b3cd973cc2c87bb51aecef18702c21d609409b4d2730bac511babb383b5dac98154b5838a245465134ceb6061118b9f62dcf055bcb

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\NIMDA ANGEL.bmp

Filesize
1.4MB

MD5
1cc3975b7593491cd7c205611698be34

SHA1
f888b74316f74e1fe94aae0f42baf18bc28111d4

SHA256
c5a7077eb7d6f374e41caf524db6e54bb7608edb2307152926c5ed1bdc1574af

SHA512
da2e80528b3ce2325c6538b3cd973cc2c87bb51aecef18702c21d609409b4d2730bac511babb383b5dac98154b5838a245465134ceb6061118b9f62dcf055bcb

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\schg.exe

Filesize
76KB

MD5
f53bc85abe830265d41529b772190c3b

SHA1
80c744171979271940ee6c5c39ff8aa6aef56486

SHA256
0c078dda58fab433ecf7ccef934d502c8c30a1635fcad4111e2447e26d0b89af

SHA512
65d3197358070c245a3ea274d0905b24d48fa870991bb396b9a1462d227365dc4db7f3df79848020a111cf94d96c6e5c49a64ba23776f322002c48b4c57ff06e

Download Submit
\??\c:\windows\Desktop.ini

Filesize
127B

MD5
8052b40f98237069a82665e8e410104a

SHA1
3036d150d270117154f87834fa3bb06410b6ee47

SHA256
107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329

SHA512
a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631

Download Submit
\??\c:\windows\Desktop.ini

Filesize
127B

MD5
8052b40f98237069a82665e8e410104a

SHA1
3036d150d270117154f87834fa3bb06410b6ee47

SHA256
107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329

SHA512
a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631

Download Submit
\??\c:\windows\Desktop.ini

Filesize
127B

MD5
8052b40f98237069a82665e8e410104a

SHA1
3036d150d270117154f87834fa3bb06410b6ee47

SHA256
107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329

SHA512
a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631

Download Submit
\??\c:\windows\Desktop.ini

Filesize
127B

MD5
8052b40f98237069a82665e8e410104a

SHA1
3036d150d270117154f87834fa3bb06410b6ee47

SHA256
107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329

SHA512
a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631

Download Submit
\??\c:\windows\Desktop.ini

Filesize
127B

MD5
8052b40f98237069a82665e8e410104a

SHA1
3036d150d270117154f87834fa3bb06410b6ee47

SHA256
107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329

SHA512
a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631

Download Submit
\??\c:\windows\Desktop.ini

Filesize
127B

MD5
8052b40f98237069a82665e8e410104a

SHA1
3036d150d270117154f87834fa3bb06410b6ee47

SHA256
107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329

SHA512
a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
85ef8ec6a6a735797b8a5e8c97871460

SHA1
324749f77ae440314b39da8f4f570476ac8c1455

SHA256
4d159d6012c881b8a96d0b81c35a54d6eaa9b5bdd0006dc8aba5555da7b5b71f

SHA512
1c72c036cb4812ee7be5ee963935f85d1a7b1a3649074340b25174a1f3ab438891834a15d8440bfec078da82d64c13738d9609a8462fe8fbf00e614bf64654a8

Download Submit
\??\c:\windows\SysWOW64\XPs.ini

Filesize
1.4MB

MD5
d91c164d324457e45bd71bca367ea5f1

SHA1
5ceb0e1780e34053ba2771d0073df746a5ebb1cd

SHA256
e9e3f7ac57f2ab482861b3cf1afbdc15b2a51ae0d0512fb2fd9639d2266a9421

SHA512
6bd86a8ded4be8d0a9c28d240105e632ecb5132606791ec0a16a6640d11fff503745f3bb3d7f4c3dbaaa058eb93985fe0349ebcebc07737f602502c5355b5499

Download Submit
\??\c:\windows\SysWOW64\XPs.ini

Filesize
1.4MB

MD5
d91c164d324457e45bd71bca367ea5f1

SHA1
5ceb0e1780e34053ba2771d0073df746a5ebb1cd

SHA256
e9e3f7ac57f2ab482861b3cf1afbdc15b2a51ae0d0512fb2fd9639d2266a9421

SHA512
6bd86a8ded4be8d0a9c28d240105e632ecb5132606791ec0a16a6640d11fff503745f3bb3d7f4c3dbaaa058eb93985fe0349ebcebc07737f602502c5355b5499

Download Submit
\??\c:\windows\SysWOW64\XPs.ini

Filesize
1.4MB

MD5
d91c164d324457e45bd71bca367ea5f1

SHA1
5ceb0e1780e34053ba2771d0073df746a5ebb1cd

SHA256
e9e3f7ac57f2ab482861b3cf1afbdc15b2a51ae0d0512fb2fd9639d2266a9421

SHA512
6bd86a8ded4be8d0a9c28d240105e632ecb5132606791ec0a16a6640d11fff503745f3bb3d7f4c3dbaaa058eb93985fe0349ebcebc07737f602502c5355b5499

Download Submit
\??\c:\windows\SysWOW64\XPs.ini

Filesize
1.4MB

MD5
d91c164d324457e45bd71bca367ea5f1

SHA1
5ceb0e1780e34053ba2771d0073df746a5ebb1cd

SHA256
e9e3f7ac57f2ab482861b3cf1afbdc15b2a51ae0d0512fb2fd9639d2266a9421

SHA512
6bd86a8ded4be8d0a9c28d240105e632ecb5132606791ec0a16a6640d11fff503745f3bb3d7f4c3dbaaa058eb93985fe0349ebcebc07737f602502c5355b5499

Download Submit
\??\c:\windows\SysWOW64\XPs.ini

Filesize
1.4MB

MD5
d91c164d324457e45bd71bca367ea5f1

SHA1
5ceb0e1780e34053ba2771d0073df746a5ebb1cd

SHA256
e9e3f7ac57f2ab482861b3cf1afbdc15b2a51ae0d0512fb2fd9639d2266a9421

SHA512
6bd86a8ded4be8d0a9c28d240105e632ecb5132606791ec0a16a6640d11fff503745f3bb3d7f4c3dbaaa058eb93985fe0349ebcebc07737f602502c5355b5499

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/364-213-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/904-276-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1480-283-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1592-404-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1656-275-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1656-416-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2068-307-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2068-430-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2080-171-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2080-173-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2312-302-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2544-429-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2780-306-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2836-332-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-376-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3148-373-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3172-267-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3460-370-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3504-348-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3600-229-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-389-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3604-383-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-255-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-248-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3800-301-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4272-423-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4476-417-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4532-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4532-414-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4532-181-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4604-382-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4692-235-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4692-154-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4692-437-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4908-403-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4952-344-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4952-435-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4992-436-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4992-237-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5060-351-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download