98b8c0b46fcd24848cd9c82d48de824ba399297fe67d1b5facaf2d1c8d6a057c

Analysis

max time kernel
166s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1008510c01ae812ac9411c6f1abca788.exe
Size

127KB
MD5

1008510c01ae812ac9411c6f1abca788
SHA1

a3009e0c6ee1027f7e8a89fa642508ee8a63a5d9
SHA256

98b8c0b46fcd24848cd9c82d48de824ba399297fe67d1b5facaf2d1c8d6a057c
SHA512

a1f885afb95626389132e5f0c7f6068abd50623898d43d2368d3c5d01ee93595c37e5833f828341ad316153bfac577d8a949e3e25926ed7b9a6459e073733a5a
SSDEEP

1536:7amlu3hbBGy3G8nhMpD7MUYU6U5jUdPQc+n35KZg8/nouy8Iu:7reMPd/MYjUtQl78vout

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	1008510c01ae812ac9411c6f1abca788.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	uxnw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1008510c01ae812ac9411c6f1abca788.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1008510c01ae812ac9411c6f1abca788.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1008510c01ae812ac9411c6f1abca788.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1008510c01ae812ac9411c6f1abca788.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	1008510c01ae812ac9411c6f1abca788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	1008510c01ae812ac9411c6f1abca788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	1008510c01ae812ac9411c6f1abca788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	1008510c01ae812ac9411c6f1abca788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	smss.exe

Executes dropped EXE 64 IoCs

pid	Process
2736	1008510c01ae812ac9411c6f1abca788.exe
2712	csrss.exe
1124	csrss.exe
2652	csrss.exe
1932	csrss.exe
1152	uxnw.exe
1816	smss.exe
1180	smss.exe
2528	csrss.exe
1732	winlogon.exe
1192	rundll32.exe
2340	smss.exe
2892	lsass.exe
1520	lsass.exe
1604	csrss.exe
1800	csrss.exe
2116	smss.exe
2412	smss.exe
1044	lsass.exe
1528	lsass.exe
1524	services.exe
2440	services.exe
1612	conhost.exe
2120	csrss.exe
1980	smss.exe
896	smss.exe
2940	ping.exe
1712	lsass.exe
2208	services.exe
1568	services.exe
552	winlogon.exe
984	winlogon.exe
2560	csrss.exe
2060	csrss.exe
2392	smss.exe
2180	conhost.exe
1704	smss.exe
2732	smss.exe
2820	lsass.exe
2748	services.exe
2824	winlogon.exe
2724	Paraysutki_VM_Community
2752	lsass.exe
2616	services.exe
2640	winlogon.exe
2604	lsass.exe
3016	lsass.exe
2576	lsass.exe
1080	Paraysutki_VM_Community
1940	lsass.exe
1628	winlogon.exe
2772	services.exe
1792	services.exe
1048	winlogon.exe
2556	services.exe
2100	services.exe
568	services.exe
268	winlogon.exe
2480	services.exe
980	winlogon.exe
2072	Paraysutki_VM_Community
1636	winlogon.exe
1084	Paraysutki_VM_Community
2328	winlogon.exe

Loads dropped DLL 64 IoCs

pid	Process
2684	1008510c01ae812ac9411c6f1abca788.exe
2684	1008510c01ae812ac9411c6f1abca788.exe
2736	1008510c01ae812ac9411c6f1abca788.exe
2736	1008510c01ae812ac9411c6f1abca788.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
1124	csrss.exe
1124	csrss.exe
1124	csrss.exe
2652	csrss.exe
2652	csrss.exe
2652	csrss.exe
1932	csrss.exe
2652	csrss.exe
2652	csrss.exe
1124	csrss.exe
1124	csrss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1180	smss.exe
1180	smss.exe
1180	smss.exe
2528	csrss.exe
2528	csrss.exe
1732	winlogon.exe
1180	smss.exe
1180	smss.exe
1192	rundll32.exe
1192	rundll32.exe
2340	smss.exe
1180	smss.exe
1180	smss.exe
2892	lsass.exe
2892	lsass.exe
2892	lsass.exe
1520	lsass.exe
1520	lsass.exe
1520	lsass.exe
1604	csrss.exe
1604	csrss.exe
1800	csrss.exe
1520	lsass.exe
1520	lsass.exe
2116	smss.exe
2116	smss.exe
2412	smss.exe
1520	lsass.exe
1520	lsass.exe
1044	lsass.exe
1044	lsass.exe
1528	lsass.exe
1520	lsass.exe
1520	lsass.exe
1524	services.exe
1524	services.exe
1524	services.exe
2440	services.exe
2440	services.exe
2440	services.exe
1612	conhost.exe
1612	conhost.exe
2120	csrss.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	uxnw.exe

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	uxnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	csrss.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1008510c01ae812ac9411c6f1abca788.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	uxnw.exe
File opened (read-only)	\??\N:	uxnw.exe
File opened (read-only)	\??\M:	uxnw.exe
File opened (read-only)	\??\O:	uxnw.exe
File opened (read-only)	\??\P:	uxnw.exe
File opened (read-only)	\??\T:	uxnw.exe
File opened (read-only)	\??\U:	uxnw.exe
File opened (read-only)	\??\W:	uxnw.exe
File opened (read-only)	\??\L:	uxnw.exe
File opened (read-only)	\??\J:	uxnw.exe
File opened (read-only)	\??\Q:	uxnw.exe
File opened (read-only)	\??\R:	uxnw.exe
File opened (read-only)	\??\V:	uxnw.exe
File opened (read-only)	\??\Y:	uxnw.exe
File opened (read-only)	\??\Z:	uxnw.exe
File opened (read-only)	\??\I:	uxnw.exe
File opened (read-only)	\??\E:	uxnw.exe
File opened (read-only)	\??\G:	uxnw.exe
File opened (read-only)	\??\H:	uxnw.exe
File opened (read-only)	\??\K:	uxnw.exe
File opened (read-only)	\??\S:	uxnw.exe
File opened (read-only)	\??\B:	uxnw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	1008510c01ae812ac9411c6f1abca788.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	1008510c01ae812ac9411c6f1abca788.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	1008510c01ae812ac9411c6f1abca788.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	uxnw.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	conhost.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	ping.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	uxnw.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	1008510c01ae812ac9411c6f1abca788.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	rundll32.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	1008510c01ae812ac9411c6f1abca788.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	1008510c01ae812ac9411c6f1abca788.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	uxnw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	uxnw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	1008510c01ae812ac9411c6f1abca788.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	uxnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	uxnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	uxnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	uxnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	uxnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	uxnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	uxnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	uxnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	uxnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	1008510c01ae812ac9411c6f1abca788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	1008510c01ae812ac9411c6f1abca788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	uxnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	uxnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	uxnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	uxnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	uxnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	uxnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	uxnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
992	ping.exe
2700	ping.exe
2940	ping.exe
1868	ping.exe
1224	ping.exe
2312	ping.exe
2040	ping.exe
2388	ping.exe
2776	ping.exe
2204	ping.exe
544	ping.exe
2944	ping.exe
832	ping.exe
2304	ping.exe
1164	ping.exe
2196	ping.exe
1632	ping.exe
1640	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe
1816	smss.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1192	rundll32.exe
1132	rundll32.exe
1924	rundll32.exe
2688	rundll32.exe
560	rundll32.exe
2012	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2684	1008510c01ae812ac9411c6f1abca788.exe
2736	1008510c01ae812ac9411c6f1abca788.exe
2712	csrss.exe
1124	csrss.exe
2652	csrss.exe
1932	csrss.exe
1152	uxnw.exe
1816	smss.exe
1180	smss.exe
2528	csrss.exe
1732	winlogon.exe
1192	rundll32.exe
2340	smss.exe
2892	lsass.exe
1520	lsass.exe
1604	csrss.exe
1800	csrss.exe
2116	smss.exe
2412	smss.exe
1044	lsass.exe
1528	lsass.exe
1524	services.exe
2440	services.exe
1612	conhost.exe
2120	csrss.exe
1980	smss.exe
896	smss.exe
2940	ping.exe
1712	lsass.exe
2208	services.exe
1568	services.exe
552	winlogon.exe
984	winlogon.exe
2560	csrss.exe
2060	csrss.exe
2392	smss.exe
2180	conhost.exe
1704	smss.exe
2820	lsass.exe
2748	services.exe
2732	smss.exe
2824	winlogon.exe
2724	Paraysutki_VM_Community
2616	services.exe
2752	lsass.exe
2640	winlogon.exe
2604	lsass.exe
2576	lsass.exe
3016	lsass.exe
1940	lsass.exe
1080	Paraysutki_VM_Community
2772	services.exe
1628	winlogon.exe
1792	services.exe
2556	services.exe
1048	winlogon.exe
2100	services.exe
568	services.exe
268	winlogon.exe
2480	services.exe
980	winlogon.exe
2072	Paraysutki_VM_Community
1636	winlogon.exe
2328	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2736	2684	1008510c01ae812ac9411c6f1abca788.exe	51
PID 2684 wrote to memory of 2736	2684	1008510c01ae812ac9411c6f1abca788.exe	51
PID 2684 wrote to memory of 2736	2684	1008510c01ae812ac9411c6f1abca788.exe	51
PID 2684 wrote to memory of 2736	2684	1008510c01ae812ac9411c6f1abca788.exe	51
PID 2736 wrote to memory of 2712	2736	1008510c01ae812ac9411c6f1abca788.exe	18
PID 2736 wrote to memory of 2712	2736	1008510c01ae812ac9411c6f1abca788.exe	18
PID 2736 wrote to memory of 2712	2736	1008510c01ae812ac9411c6f1abca788.exe	18
PID 2736 wrote to memory of 2712	2736	1008510c01ae812ac9411c6f1abca788.exe	18
PID 2712 wrote to memory of 1124	2712	csrss.exe	50
PID 2712 wrote to memory of 1124	2712	csrss.exe	50
PID 2712 wrote to memory of 1124	2712	csrss.exe	50
PID 2712 wrote to memory of 1124	2712	csrss.exe	50
PID 1124 wrote to memory of 2652	1124	csrss.exe	49
PID 1124 wrote to memory of 2652	1124	csrss.exe	49
PID 1124 wrote to memory of 2652	1124	csrss.exe	49
PID 1124 wrote to memory of 2652	1124	csrss.exe	49
PID 2652 wrote to memory of 1932	2652	csrss.exe	19
PID 2652 wrote to memory of 1932	2652	csrss.exe	19
PID 2652 wrote to memory of 1932	2652	csrss.exe	19
PID 2652 wrote to memory of 1932	2652	csrss.exe	19
PID 2652 wrote to memory of 1152	2652	csrss.exe	20
PID 2652 wrote to memory of 1152	2652	csrss.exe	20
PID 2652 wrote to memory of 1152	2652	csrss.exe	20
PID 2652 wrote to memory of 1152	2652	csrss.exe	20
PID 1124 wrote to memory of 1816	1124	csrss.exe	48
PID 1124 wrote to memory of 1816	1124	csrss.exe	48
PID 1124 wrote to memory of 1816	1124	csrss.exe	48
PID 1124 wrote to memory of 1816	1124	csrss.exe	48
PID 1816 wrote to memory of 1180	1816	smss.exe	21
PID 1816 wrote to memory of 1180	1816	smss.exe	21
PID 1816 wrote to memory of 1180	1816	smss.exe	21
PID 1816 wrote to memory of 1180	1816	smss.exe	21
PID 1180 wrote to memory of 2528	1180	smss.exe	47
PID 1180 wrote to memory of 2528	1180	smss.exe	47
PID 1180 wrote to memory of 2528	1180	smss.exe	47
PID 1180 wrote to memory of 2528	1180	smss.exe	47
PID 2528 wrote to memory of 1732	2528	csrss.exe	84
PID 2528 wrote to memory of 1732	2528	csrss.exe	84
PID 2528 wrote to memory of 1732	2528	csrss.exe	84
PID 2528 wrote to memory of 1732	2528	csrss.exe	84
PID 1180 wrote to memory of 1192	1180	smss.exe	85
PID 1180 wrote to memory of 1192	1180	smss.exe	85
PID 1180 wrote to memory of 1192	1180	smss.exe	85
PID 1180 wrote to memory of 1192	1180	smss.exe	85
PID 1192 wrote to memory of 2340	1192	rundll32.exe	44
PID 1192 wrote to memory of 2340	1192	rundll32.exe	44
PID 1192 wrote to memory of 2340	1192	rundll32.exe	44
PID 1192 wrote to memory of 2340	1192	rundll32.exe	44
PID 1180 wrote to memory of 2892	1180	smss.exe	43
PID 1180 wrote to memory of 2892	1180	smss.exe	43
PID 1180 wrote to memory of 2892	1180	smss.exe	43
PID 1180 wrote to memory of 2892	1180	smss.exe	43
PID 2892 wrote to memory of 1520	2892	lsass.exe	22
PID 2892 wrote to memory of 1520	2892	lsass.exe	22
PID 2892 wrote to memory of 1520	2892	lsass.exe	22
PID 2892 wrote to memory of 1520	2892	lsass.exe	22
PID 1520 wrote to memory of 1604	1520	lsass.exe	23
PID 1520 wrote to memory of 1604	1520	lsass.exe	23
PID 1520 wrote to memory of 1604	1520	lsass.exe	23
PID 1520 wrote to memory of 1604	1520	lsass.exe	23
PID 1604 wrote to memory of 1800	1604	csrss.exe	24
PID 1604 wrote to memory of 1800	1604	csrss.exe	24
PID 1604 wrote to memory of 1800	1604	csrss.exe	24
PID 1604 wrote to memory of 1800	1604	csrss.exe	24

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1008510c01ae812ac9411c6f1abca788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1008510c01ae812ac9411c6f1abca788.exe

C:\Users\Admin\AppData\Local\Temp\1008510c01ae812ac9411c6f1abca788.exe
"C:\Users\Admin\AppData\Local\Temp\1008510c01ae812ac9411c6f1abca788.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\1008510c01ae812ac9411c6f1abca788.exe
  C:\Users\Admin\AppData\Local\Temp\1008510c01ae812ac9411c6f1abca788.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2736
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1704
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2732
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:560
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:1164
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2776
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2040
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    3⤵
    - Drops file in System32 directory
    PID:1532
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1636
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2556
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2576

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
  C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1124
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2820
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2752
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2772
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1792
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2304
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:2204
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Runs ping.exe
    - Suspicious use of SetWindowsHookEx
    PID:2940
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2688
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    3⤵
    - Executes dropped EXE
    PID:1084
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:268

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1932

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\uxnw.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\uxnw.exe" csrss
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1180
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2892
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
  2⤵
  PID:1192
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2528
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2748
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2616
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1628
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1048
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2072
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1192
- C:\Windows\SysWOW64\ping.exe
  ping www.rasasayang.com.my -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:2196
- C:\Windows\SysWOW64\ping.exe
  ping www.data0.net -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:1868
- C:\Windows\SysWOW64\ping.exe
  ping www.duniasex.com -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:1224

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1520
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1800
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1044
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1528
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1524
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2440
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
      4⤵
      PID:1612
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2120
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:1980
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:896
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2208
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:552
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2724
  - - C:\Windows\SysWOW64\ping.exe
      ping www.duniasex.com -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2312
  - - C:\Windows\SysWOW64\ping.exe
      ping www.rasasayang.com.my -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:1640
  - - C:\Windows\SysWOW64\ping.exe
      ping www.data0.net -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:2388
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:2012
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2116
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2824
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2640
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1924
- C:\Windows\SysWOW64\ping.exe
  ping www.data0.net -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:832
- C:\Windows\SysWOW64\ping.exe
  ping www.rasasayang.com.my -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:1632
- C:\Windows\SysWOW64\ping.exe
  ping www.duniasex.com -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:544

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:984
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2560
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2060
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2392
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2604
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3016
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:568
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2480
- C:\Windows\SysWOW64\ping.exe
  ping www.rasasayang.com.my -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:992
- C:\Windows\SysWOW64\ping.exe
  ping www.data0.net -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:2944
- C:\Windows\SysWOW64\ping.exe
  ping www.duniasex.com -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:2700
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1132
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  2⤵
  PID:2908
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2328

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
1⤵
PID:1732

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
1⤵
PID:2180

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:980

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1582783234979302113-871732600-15653521319921282691757791318450698081-1147321235"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1846021083962916927-860225627217952881-16151101331808613853-5078478441770754723"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
1⤵
PID:2096

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1008510c01ae812ac9411c6f1abca788.exe

Filesize
45KB

MD5
bd9270a629d91e2fa5d400ea6bbb764d

SHA1
4466bef39ba97084031c9a2f6d916829c28b00b6

SHA256
219b89f9a705dbac1b96f9ce3e503bce72eb8e0de9c320022348cb6ceabae433

SHA512
b9d159b4e955edcec70b6d76654999033582c3c4abde6550a0821a634bb65a441494aadff49d10c89b978cd2f68c97fe59365121367ef7578a36e7691688f1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008510c01ae812ac9411c6f1abca788.exe

Filesize
50KB

MD5
69beac0954c38e170a6db8c50fe6a055

SHA1
2b16d43fa9c5d042a030b9267846cf254d47da75

SHA256
2f850319eb8dcefbd7d7c2f405c9b5a9e76ca7ebda34751017e2f23c01a00e8e

SHA512
c219d6d014898394116b1b19ac330143396af470198334f01b2944049b5bb9fe2c5febfcb040ff6ed2e75416908b7089ff0261b7c7c2029a60c3cae8a01666a1

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL

Filesize
73KB

MD5
7707d1f9178bc05315d88a69aaa3abdd

SHA1
b32f0705bb7f8ddea9b46b50ff07f1e295c4e33f

SHA256
b33b5f68192d13bb50ed84fa40e502f4b4b7a574163c84def84501d48002a9db

SHA512
6a0b59e2dc5e9313020f196a6790a0fe831d1a5a108bf9d01994eb094190a45d7f4906acda960e11bd6886d4584a485eb38aded98b794813c908b364eea91901

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

Filesize
27KB

MD5
c86878f6125ec9f2176b6fe4ca2caa57

SHA1
a31e5953366ab551c9b2eeb9cc34a9a8fb03be13

SHA256
266acf22dcec348f7019d2d204f9e918d33d84d24fe10db8c88e319509b9b03b

SHA512
d9032dc6e9128d5ac61e17810a85a32049b5fde639378a405077636ee6c1b9e850143aa1a3af73a63fe623348add7ab86952c7ed3a2a6e176306347fdd47348e

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
33KB

MD5
1d1e61fec1240fc0d82dfd6290655314

SHA1
edbbf06a41cae7a38c95e2215f32afb6676860b3

SHA256
8746a3dda8fcfb604b4fd4df82a6e02c2e7d1b39f527679107d49168b1953577

SHA512
6692e73d13286352ef83058fff110925fa64205810585723381fb19a8a5f059749308aa5567104113097e4d7485c7747ace7b759ca54a4e710ed8093ac3b03f3

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
123KB

MD5
751c6951834f1c7b1a75a78b0a641522

SHA1
dd3a8ce9b85b44b2b0353fa603ab9b8f63b3ef05

SHA256
38d7bda3dd473d1cf2714cb9faad2accf720a9c37b795d2570e31455534dc64a

SHA512
4b7c3fafc65af313037bb4848d1f4d83326c38b44cc5edeb89722dc2bb478625c5be95ba3070bad814df9139285729d07cf555005146de40ef133670fc7fae8d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
127KB

MD5
5473b7e5062d6971f643f6feeb38c01b

SHA1
345ad2ce3c5bf79b442c80fbec4dfd8607328f3e

SHA256
1c4638d906cf616492b39b3150d2328bb6c59ce217ad96a2d3e163c0ef18fad2

SHA512
31db327456f5024c4df42581058bfe31f36a4dac52b7d6b6ace5ce8e5f19b8bf440f8a7ca335564892164abe6a95e205c06973d11cf4abfc8ec198ef4e3f1182

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\1008510c01ae812ac9411c6f1abca788.exe

Filesize
47KB

MD5
6c969fc8478ea80d9b66fd07fdf66f7d

SHA1
8a13a427c2ff883aa5dccc3bf73af8d5ace69c26

SHA256
702b88aab12625662f4fc805929502d5ac523c46e41889a0c5afe733892b9055

SHA512
55b5ee010f4452cdd61dfb4a66331abf2081e191d1673991812f3116f6f273a036be13bf9d6a7d2ca962d529cbae177e8d1f058ec902a827dd2542de169bbdbb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\uxnw.exe

Filesize
76KB

MD5
48a21b59d29ac98bbaa678171f5c6d18

SHA1
6764a2254eb95be16ea66e2c912944e5b15d9fdc

SHA256
c82e2e4a6667f79c339102532f86f10d42d19e09aa91a5e72d4a49a5f7631283

SHA512
56b662bfadce02f4d0db5c38eb5b3b3d3f21a8ed9a336d49a7f0339dd2f5d13ed3e7ab3b004c83362de7f61ae29e5da244c50c8573e4e0ab5da21c81cc199b78

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
114KB

MD5
d77b5f21ef069d839a69981aeb33546f

SHA1
8cecb46789fffa7eaf0be8eaca17a48da58bedad

SHA256
16f1be73d54382991b6f79493fc3fed39dec37e9084fc8bb67d4c27f201548fe

SHA512
89f816e7310d76e6bb5a9f2da170522dbd45e146bfa6431fea915718b1eda4b8d324305ea7907efb0e2af30f26f3b9c834a88d2383513d1969378881da1819b9

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

Filesize
45KB

MD5
22df0c5433ce10f55b1889f85c9cae4a

SHA1
d92e67dad6ee476dc56ed402bbf0b94a812dbee9

SHA256
8691d24e7e1c9a97728fa6af006aa7f3666fd1b04b758d5a5abd997dd04b0263

SHA512
4671c974be4c4d589d1057c45268628ba0efcb56a1ebef14413222edc172b8792b03ed6ec0a9d9b73302fb45bb835e5d6959fc28986bd49cd92729344005b995

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
468KB

MD5
99ae1384ddf049782ee275381dd1543b

SHA1
be5e09f970fd814935bec5695aa6dbab53d1e00f

SHA256
5df703f0879124abb7e05cbbd1e8ebfcf94a6e632ec996d816e6efc49763e648

SHA512
416e133841cec091e42ca6845a995704c988d26501002ae6c62c5c779282512a417e01af92ffb18fbc30ec63a49931c1a36107268babdcb6774305796421476b

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
158KB

MD5
a929f56c9ec9a1150f7331352c8eaa8b

SHA1
558b8ff655874cefe5cd2033e25a3e8297604205

SHA256
4269a858ecb3cae42bc532e04cde1713fdccde65db097a1d7105c77438cfa397

SHA512
bbe331ca042e6ba1d9e0eb7c4363e9a7960a5d9adb7d6cf1204c702d85f5c69ffbc615cdae4a7763e22e3a002e80894c2b2e1445f5c39ecea7f0ccf19587dd29

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
342KB

MD5
0a71f1382813630d23c4a33cee3ff7d0

SHA1
71b9cd8e0da11bd553c0fdd0391d9620fb723baa

SHA256
2f48a6d116ccb245a29557945b0da74cd637c6c53ef4f396aacb8b6357f05453

SHA512
29d56c6a06e63bdb155f8f3118a8d4410f00e56eac7b496b7b338d688bed58ddd265d270a9bad8c6e74c6c651c4379f09d85d60a65e5e054638dc06f892a11a9

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
32KB

MD5
1eaa7a891d31a10138ec631c5e051563

SHA1
3d5eef2915dfcc40af5c2f4c9e074b9cc1aa640f

SHA256
f93580fc76b056f0a4bf00b985375089132089d2039cd3eca0246ad1764b0e9b

SHA512
85494aadc0ba74ff977935afc611e4f89f5cb0619b84d8d48cf6c3911cd74d5128b261b1528e8b1c681caaf871e334c386a02f4ecd3e7820b4425a80b91556eb

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
49KB

MD5
9ec60a72d01559d89cc4ca9820a2af9f

SHA1
ee11121e681e09b9d812058570bb0297e2fc84de

SHA256
90ce8e3be0f5b71b8046b3e96615ce7e42e0a861c3b9a6f57cd0193627ea28f3

SHA512
50f983a4860081d0fc4606df6756997778837e7b32ddcc99437016f52b3fd007a14809004237a0392a18100a51072c6f238a9cc3a9628ed1285ec16ebd0eb9f0

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
417KB

MD5
bf071af867344ddd2ce6b0e876cdd4f2

SHA1
11e173193895653eead93717cfa9bc8ab2ad8c3a

SHA256
078742304555ee3fcf4e4259fce89ae7242366fe2f73dbeca63641e38c2c4a99

SHA512
c96340d80422b22bcb776b85219001866afe2a4897305e28cc2fd8ef0314430ea169b9dd1bd1d4778a7415b8cd11ab847f3ae18ca0405ad2c73156069fc11a9d

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
70KB

MD5
f060af9a247c4a8983efae5e52d6f61b

SHA1
8e17d031e908038a9540dd14b8fe865408a11f74

SHA256
16f85ec226d930c7da4d9f9d81db605a7ab039c8c60d0f884ef52a1bd484cc89

SHA512
e3a739edd7b2ff9c3eec062cd7e4b851c25ecbf77128153592a2506b6dc423885d6e4c35b07618f8076e567ca2a5b1f9b5a958fb8a94efbc1fa9d825961cf351

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
49KB

MD5
fa64df32ffd8ac17963e092b8d74a707

SHA1
543dc73ded5e4e7fc9cdae2bb0064bb4fca0293f

SHA256
86a8ddfbdf83a80c93fd0b6c105a3027f9672d267396869738cc049ecace3f8d

SHA512
50d9bcb1900da85ce97bd7328736e56837f2c1d5bcb56e310871d2318d256149a6245bb26576178794d0ed9ed281a1d645f3fc05a549615587a1345e0ae55b0e

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
151KB

MD5
71d6f5c1dcae058f06ea7da32faab947

SHA1
3895a02e3b07b23f888d90718dd5538bacacd9e9

SHA256
36e21c7fdd0c388a2984e233e48c65089800447259224dc392806f530aa5257d

SHA512
e01143d3f6d166c9cb074a3e19cee0df3312fe15aaf904a90e1ea991859e59fa304c91e085046817357e28a4fd974339bb27422d9285f863717f9a8932124c83

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
122KB

MD5
a50b9a7333fd41f01d4826b9d5e4cb9f

SHA1
351d76aa4dfbe77fecd5eceeadf8c2a3ff99ef73

SHA256
024c960d848fbad7176a2436e719f860163aca6c270caedc74f0c5407ae41c70

SHA512
1b7c0730dc27dd48b0e929cad8dd8b4e02592f2c66a3bca3bb0404facdc5f4108e80f82f75cf916444147c5c47e7af203ef3d79f282fff0ea2511e7c6c03d518

Download Submit
memory/268-394-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/552-326-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/896-267-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/980-398-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/984-316-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1048-386-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1124-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1124-237-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1180-256-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1180-427-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1520-288-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1520-425-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1528-240-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1568-281-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1612-257-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/1628-371-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1636-407-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/1704-351-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1712-275-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-185-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-417-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1792-379-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1800-222-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1816-255-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1816-168-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1932-115-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-367-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1980-264-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/2060-300-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2096-416-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2120-260-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2180-339-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2180-346-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2328-411-0x00000000002C0000-0x00000000002E0000-memory.dmp

Filesize
128KB

Download
memory/2340-202-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-340-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2392-305-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2412-232-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2412-229-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2440-304-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2440-419-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2528-187-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2528-181-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2560-297-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/2576-350-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2616-360-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-354-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-112-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2684-7-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/2684-12-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/2684-199-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/2712-236-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2732-347-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2736-429-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2736-221-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2736-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2752-364-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-366-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2820-323-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2892-271-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2892-215-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2940-272-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/3016-375-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download