d09e269588b123102a1c3a75af3350a00836d55e75987931511b1769e626f5bc

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Size

127KB
MD5

01428ce4113dc16b028db712cc0adbc7
SHA1

440212bb29e6f8a76be987a0fe6e5a1bdef840f3
SHA256

d09e269588b123102a1c3a75af3350a00836d55e75987931511b1769e626f5bc
SHA512

b6eb9fcb44669295b0bca67ad0ebd9f57d77dbd47b7e60cd3077b9f5457735fb2be6e53ce17dca394f737ad3fe45c1ed20a87066f45824454ae6c00006c01682
SSDEEP

1536:jamlu3hbBGy3G8nhMpD7MUYU6U5jUdPQc+n35KZg8/nouy8Iu:jreMPd/MYjUtQl78vout

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 36 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 38 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	scdv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 36 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Disables RegEdit via registry modification 36 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe

Executes dropped EXE 64 IoCs

pid	Process
2144	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
1596	csrss.exe
2404	csrss.exe
1980	csrss.exe
432	csrss.exe
1496	scdv.exe
1108	smss.exe
1660	smss.exe
1544	csrss.exe
952	csrss.exe
1996	smss.exe
1376	smss.exe
2228	lsass.exe
2656	lsass.exe
1924	csrss.exe
2304	csrss.exe
2320	smss.exe
1668	smss.exe
1856	lsass.exe
1688	lsass.exe
2704	services.exe
984	services.exe
1336	csrss.exe
1112	csrss.exe
912	smss.exe
2256	smss.exe
2396	lsass.exe
1772	lsass.exe
2112	services.exe
2696	services.exe
2348	winlogon.exe
1760	winlogon.exe
2164	csrss.exe
2000	csrss.exe
2024	smss.exe
1720	smss.exe
3032	lsass.exe
2864	lsass.exe
2624	services.exe
2736	services.exe
2632	winlogon.exe
2272	winlogon.exe
2764	Paraysutki_VM_Community
2844	Paraysutki_VM_Community
2456	winlogon.exe
1100	winlogon.exe
2564	csrss.exe
1740	csrss.exe
2708	smss.exe
2692	smss.exe
1156	lsass.exe
844	lsass.exe
1264	services.exe
1520	services.exe
1940	csrss.exe
860	csrss.exe
2324	smss.exe
1724	smss.exe
3064	lsass.exe
428	lsass.exe
3036	services.exe
1084	services.exe
1820	winlogon.exe
1072	winlogon.exe

Loads dropped DLL 64 IoCs

pid	Process
2072	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
2072	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
2144	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
2144	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
1596	csrss.exe
1596	csrss.exe
1596	csrss.exe
2404	csrss.exe
2404	csrss.exe
2404	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
432	csrss.exe
1980	csrss.exe
1980	csrss.exe
2404	csrss.exe
2404	csrss.exe
1108	smss.exe
1108	smss.exe
1108	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1544	csrss.exe
1544	csrss.exe
952	csrss.exe
1660	smss.exe
1660	smss.exe
1996	smss.exe
1996	smss.exe
1376	smss.exe
1660	smss.exe
1660	smss.exe
2228	lsass.exe
2228	lsass.exe
2228	lsass.exe
2656	lsass.exe
2656	lsass.exe
2656	lsass.exe
1924	csrss.exe
1924	csrss.exe
2304	csrss.exe
2656	lsass.exe
2656	lsass.exe
2320	smss.exe
2320	smss.exe
1668	smss.exe
2656	lsass.exe
2656	lsass.exe
1856	lsass.exe
1856	lsass.exe
1688	lsass.exe
2656	lsass.exe
2656	lsass.exe
2704	services.exe
2704	services.exe
2704	services.exe
984	services.exe
984	services.exe
984	services.exe
1336	csrss.exe
1336	csrss.exe
1112	csrss.exe

Modifies system executable filetype association 2 TTPs 38 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	scdv.exe
File opened (read-only)	\??\P:	scdv.exe
File opened (read-only)	\??\U:	scdv.exe
File opened (read-only)	\??\B:	scdv.exe
File opened (read-only)	\??\I:	scdv.exe
File opened (read-only)	\??\J:	scdv.exe
File opened (read-only)	\??\N:	scdv.exe
File opened (read-only)	\??\Y:	scdv.exe
File opened (read-only)	\??\Z:	scdv.exe
File opened (read-only)	\??\G:	scdv.exe
File opened (read-only)	\??\T:	scdv.exe
File opened (read-only)	\??\W:	scdv.exe
File opened (read-only)	\??\H:	scdv.exe
File opened (read-only)	\??\K:	scdv.exe
File opened (read-only)	\??\L:	scdv.exe
File opened (read-only)	\??\M:	scdv.exe
File opened (read-only)	\??\O:	scdv.exe
File opened (read-only)	\??\Q:	scdv.exe
File opened (read-only)	\??\R:	scdv.exe
File opened (read-only)	\??\S:	scdv.exe
File opened (read-only)	\??\V:	scdv.exe
File opened (read-only)	\??\X:	scdv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	scdv.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	scdv.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	scdv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	scdv.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	scdv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	scdv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	scdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	scdv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	scdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	scdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	scdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	scdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	scdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	scdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	scdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	scdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	scdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	scdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1068	ping.exe
4828	ping.exe
5884	ping.exe
2648	ping.exe
1104	ping.exe
3216	ping.exe
3900	ping.exe
5204	ping.exe
5904	ping.exe
3256	ping.exe
3932	ping.exe
6356	ping.exe
1240	ping.exe
3276	ping.exe
4764	ping.exe
5992	ping.exe
4556	ping.exe
1768	ping.exe
4144	ping.exe
1812	ping.exe
3676	ping.exe
4676	ping.exe
3432	ping.exe
5016	ping.exe
3976	ping.exe
764	ping.exe
1628	ping.exe
5956	ping.exe
3412	ping.exe
3708	ping.exe
3988	ping.exe
4432	ping.exe
6416	ping.exe
1260	ping.exe
2676	ping.exe
6908	ping.exe
952	ping.exe
4908	ping.exe
3888	ping.exe
668	ping.exe
2784	ping.exe
6384	ping.exe
5348	ping.exe
904	ping.exe
1376	ping.exe
4532	ping.exe
5700	ping.exe
5692	ping.exe
5508	ping.exe
5532	ping.exe
1884	ping.exe
2804	ping.exe
364	ping.exe
2612	ping.exe
3692	ping.exe
4544	ping.exe
6392	ping.exe
2108	ping.exe
2960	ping.exe
5480	ping.exe
6012	ping.exe
6120	ping.exe
4728	ping.exe
5244	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2348	winlogon.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe
2704	services.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2100	rundll32.exe
2780	rundll32.exe
1792	rundll32.exe
2924	rundll32.exe
2476	rundll32.exe
1900	rundll32.exe
1520	rundll32.exe
236	rundll32.exe
2232	rundll32.exe
896	rundll32.exe
2144	rundll32.exe
3164	rundll32.exe
3848	rundll32.exe
2788	rundll32.exe
3324	rundll32.exe
4060	rundll32.exe
3992	rundll32.exe
4104	rundll32.exe
4776	rundll32.exe
4452	rundll32.exe
4624	rundll32.exe
4980	rundll32.exe
4664	rundll32.exe
4152	rundll32.exe
5604	rundll32.exe
6128	rundll32.exe
5308	rundll32.exe
5920	rundll32.exe
5880	rundll32.exe
5852	rundll32.exe
2928	rundll32.exe
7128	rundll32.exe
6188	rundll32.exe
6820	rundll32.exe
7076	rundll32.exe
2932	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2072	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
2144	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
1596	csrss.exe
2404	csrss.exe
1980	csrss.exe
432	csrss.exe
1496	scdv.exe
1108	smss.exe
1660	smss.exe
1544	csrss.exe
952	csrss.exe
1996	smss.exe
1376	smss.exe
2228	lsass.exe
2656	lsass.exe
1924	csrss.exe
2304	csrss.exe
2320	smss.exe
1668	smss.exe
1856	lsass.exe
1688	lsass.exe
2704	services.exe
984	services.exe
1336	csrss.exe
1112	csrss.exe
912	smss.exe
2256	smss.exe
2396	lsass.exe
1772	lsass.exe
2112	services.exe
2696	services.exe
2348	winlogon.exe
1760	winlogon.exe
2164	csrss.exe
2000	csrss.exe
2024	smss.exe
1720	smss.exe
3032	lsass.exe
2864	lsass.exe
2624	services.exe
2736	services.exe
2632	winlogon.exe
2272	winlogon.exe
2764	Paraysutki_VM_Community
2844	Paraysutki_VM_Community
2456	winlogon.exe
1100	winlogon.exe
2564	csrss.exe
1740	csrss.exe
2708	smss.exe
2692	smss.exe
1156	lsass.exe
844	lsass.exe
1264	services.exe
1520	services.exe
1940	csrss.exe
860	csrss.exe
2324	smss.exe
1724	smss.exe
3064	lsass.exe
428	lsass.exe
3036	services.exe
1084	services.exe
1820	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2144	2072	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2144	2072	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2144	2072	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2144	2072	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe	28
PID 2144 wrote to memory of 1596	2144	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe	29
PID 2144 wrote to memory of 1596	2144	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe	29
PID 2144 wrote to memory of 1596	2144	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe	29
PID 2144 wrote to memory of 1596	2144	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe	29
PID 1596 wrote to memory of 2404	1596	csrss.exe	30
PID 1596 wrote to memory of 2404	1596	csrss.exe	30
PID 1596 wrote to memory of 2404	1596	csrss.exe	30
PID 1596 wrote to memory of 2404	1596	csrss.exe	30
PID 2404 wrote to memory of 1980	2404	csrss.exe	31
PID 2404 wrote to memory of 1980	2404	csrss.exe	31
PID 2404 wrote to memory of 1980	2404	csrss.exe	31
PID 2404 wrote to memory of 1980	2404	csrss.exe	31
PID 1980 wrote to memory of 432	1980	csrss.exe	32
PID 1980 wrote to memory of 432	1980	csrss.exe	32
PID 1980 wrote to memory of 432	1980	csrss.exe	32
PID 1980 wrote to memory of 432	1980	csrss.exe	32
PID 1980 wrote to memory of 1496	1980	csrss.exe	33
PID 1980 wrote to memory of 1496	1980	csrss.exe	33
PID 1980 wrote to memory of 1496	1980	csrss.exe	33
PID 1980 wrote to memory of 1496	1980	csrss.exe	33
PID 2404 wrote to memory of 1108	2404	csrss.exe	34
PID 2404 wrote to memory of 1108	2404	csrss.exe	34
PID 2404 wrote to memory of 1108	2404	csrss.exe	34
PID 2404 wrote to memory of 1108	2404	csrss.exe	34
PID 1108 wrote to memory of 1660	1108	smss.exe	35
PID 1108 wrote to memory of 1660	1108	smss.exe	35
PID 1108 wrote to memory of 1660	1108	smss.exe	35
PID 1108 wrote to memory of 1660	1108	smss.exe	35
PID 1660 wrote to memory of 1544	1660	smss.exe	36
PID 1660 wrote to memory of 1544	1660	smss.exe	36
PID 1660 wrote to memory of 1544	1660	smss.exe	36
PID 1660 wrote to memory of 1544	1660	smss.exe	36
PID 1544 wrote to memory of 952	1544	csrss.exe	37
PID 1544 wrote to memory of 952	1544	csrss.exe	37
PID 1544 wrote to memory of 952	1544	csrss.exe	37
PID 1544 wrote to memory of 952	1544	csrss.exe	37
PID 1660 wrote to memory of 1996	1660	smss.exe	38
PID 1660 wrote to memory of 1996	1660	smss.exe	38
PID 1660 wrote to memory of 1996	1660	smss.exe	38
PID 1660 wrote to memory of 1996	1660	smss.exe	38
PID 1996 wrote to memory of 1376	1996	smss.exe	39
PID 1996 wrote to memory of 1376	1996	smss.exe	39
PID 1996 wrote to memory of 1376	1996	smss.exe	39
PID 1996 wrote to memory of 1376	1996	smss.exe	39
PID 1660 wrote to memory of 2228	1660	smss.exe	40
PID 1660 wrote to memory of 2228	1660	smss.exe	40
PID 1660 wrote to memory of 2228	1660	smss.exe	40
PID 1660 wrote to memory of 2228	1660	smss.exe	40
PID 2228 wrote to memory of 2656	2228	lsass.exe	41
PID 2228 wrote to memory of 2656	2228	lsass.exe	41
PID 2228 wrote to memory of 2656	2228	lsass.exe	41
PID 2228 wrote to memory of 2656	2228	lsass.exe	41
PID 2656 wrote to memory of 1924	2656	lsass.exe	42
PID 2656 wrote to memory of 1924	2656	lsass.exe	42
PID 2656 wrote to memory of 1924	2656	lsass.exe	42
PID 2656 wrote to memory of 1924	2656	lsass.exe	42
PID 1924 wrote to memory of 2304	1924	csrss.exe	43
PID 1924 wrote to memory of 2304	1924	csrss.exe	43
PID 1924 wrote to memory of 2304	1924	csrss.exe	43
PID 1924 wrote to memory of 2304	1924	csrss.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2144
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2404
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:432
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scdv.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\scdv.exe" csrss
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Modifies system executable filetype association
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1496
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1108
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1660
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:984
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1760
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2780
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:2612
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:2648
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2100
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:668
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:428
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:924
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1792
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:1240
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:1104
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:284
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2924
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:2784
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2476
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2804
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:1260
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:1284
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:764
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1520
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2108
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:764
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2676
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:896
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        
        PID:956
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1068
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        5⤵
        
        PID:872
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:1704
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2232
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:1768
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        5⤵
        
        PID:860
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3036
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:2320
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:2524
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        System policy modification
        
        PID:1044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:684
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2144
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:2960
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:1628
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:1812
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3164
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:3256
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:3276
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3420
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3556
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3848
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:3888
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:3932
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2788
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:3676
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:3692
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:3708
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4060
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:3900
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:1376
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3564
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3928
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3628
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        15⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        16⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        15⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        16⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        15⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        16⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        15⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        16⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        15⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        16⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        15⤵
        
        PID:428
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        15⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3992
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        15⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        15⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        15⤵
        Runs ping.exe
        
        PID:3976
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4104
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:4144
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4404
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4492
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        15⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        16⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        15⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        16⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        15⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        16⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        15⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        16⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        15⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        16⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        15⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        15⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4776
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        15⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        15⤵
        Runs ping.exe
        
        PID:4828
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        15⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4624
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:4728
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:4764
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4980
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:3988
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4260
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5116
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4680
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        15⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        16⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        15⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        16⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        15⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        16⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        15⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        16⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        15⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        16⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        17⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        18⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        17⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        18⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        17⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        18⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        17⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        18⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        17⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        18⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        17⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        17⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4664
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        17⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        17⤵
        Runs ping.exe
        
        PID:5016
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        17⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        15⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        15⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4152
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        15⤵
        Runs ping.exe
        
        PID:4432
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        15⤵
        Runs ping.exe
        
        PID:4676
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        15⤵
        Runs ping.exe
        
        PID:4908
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5384
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        15⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        16⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5492
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        17⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        18⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        17⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        18⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        17⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        18⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5856
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        19⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        20⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        19⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        20⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        19⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        20⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        19⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        20⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        19⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        20⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        19⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        19⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5308
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        19⤵
        Runs ping.exe
        
        PID:5480
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        19⤵
        Runs ping.exe
        
        PID:5508
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        19⤵
        Runs ping.exe
        
        PID:5532
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        17⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        18⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        17⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        18⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        17⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        17⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5920
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        17⤵
        Runs ping.exe
        
        PID:5956
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        17⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        17⤵
        Runs ping.exe
        
        PID:6012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        15⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        16⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        System policy modification
        
        PID:6096
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        17⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        18⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4612
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        19⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        20⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        19⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        20⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        19⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        20⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5568
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        21⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        22⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        21⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        22⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        21⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        22⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        21⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        22⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        23⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        24⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        23⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        24⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        23⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        24⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        23⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        24⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        23⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        24⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        23⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        23⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5852
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        23⤵
        Runs ping.exe
        
        PID:5904
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        23⤵
        Runs ping.exe
        
        PID:5884
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        23⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        21⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        22⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        21⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        21⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2928
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        21⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        21⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        21⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        19⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        20⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        19⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        20⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        19⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        19⤵
        Suspicious use of FindShellTrayWindow
        
        PID:6188
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        19⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        19⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        19⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        17⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        18⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        17⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        18⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:6288
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        19⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        20⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        19⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        20⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        19⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        20⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        19⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        20⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        19⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        20⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        19⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        19⤵
        Suspicious use of FindShellTrayWindow
        
        PID:6820
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        19⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        19⤵
        Runs ping.exe
        
        PID:6908
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        19⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        17⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        18⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        17⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        18⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        17⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        17⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2932
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        17⤵
        Runs ping.exe
        
        PID:5348
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        17⤵
        Runs ping.exe
        
        PID:1884
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        17⤵
        Runs ping.exe
        
        PID:6416
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        15⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        16⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        15⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        16⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5448
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        17⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        18⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        17⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        18⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        17⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        18⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        17⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        18⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        17⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        18⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        17⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        17⤵
        Suspicious use of FindShellTrayWindow
        
        PID:7076
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        17⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        17⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        17⤵
        Runs ping.exe
        
        PID:6356
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        15⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        16⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        15⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        15⤵
        Suspicious use of FindShellTrayWindow
        
        PID:7128
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        15⤵
        Runs ping.exe
        
        PID:6384
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        15⤵
        Runs ping.exe
        
        PID:6392
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        15⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5880
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:5992
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:6120
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:6128
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:5204
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:5244
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5604
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:5692
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:5700
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4452
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:4532
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:4544
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:4556
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        
        PID:4036
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        5⤵
        
        PID:3196
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3324
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:3216
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:3412
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:3432
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      4⤵
      PID:2112
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      4⤵
      PID:2164
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Event Triggered Execution: Image File Execution Options Injection
      Modifies system executable filetype association
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      System policy modification
      PID:2632
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        
        PID:2496
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        
        PID:2296
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        5⤵
        
        PID:236
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        5⤵
        Drops file in System32 directory
        
        PID:1360
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        Drops file in System32 directory
        
        PID:1120
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1900
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        
        PID:1372
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:952
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    PID:1396
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      4⤵
      PID:2332
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    3⤵
    PID:840
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:236
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    PID:900
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:904
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1807969252-60883321013751603312104404055-96003685510532165421315077311189116941"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12305461281442068018544800414-6621463801967067329-11145491491760315757-527092482"
1⤵
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "55909669-21198743001399216258-9479552541013396528320116790747671222670951451"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-114281911225509209-1093341241-3381419101157564576104826891114594071171031236572"
1⤵
PID:3388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1711182298-350465951-92665264-9349541883827948331434817189-1989986883-2044548501"
1⤵
PID:3420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2051947973-1976764203-10037739401915822252-2333966931687492259-1532805208383043439"
1⤵
PID:4756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-199704310930956877978794476555982487514095155692087347267-412554920-957409275"
1⤵
PID:3220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1558077430547779279-9002941291228061388441540638499109873764539974-1726724558"
1⤵
PID:5088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "638186426-1536228330-18178276201474127729-20392541841792956519164095204784686878"
1⤵
PID:4588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1617623067-22365660-1802823688133350246-940970642-571120464-10795303631994161466"
1⤵
PID:4512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2129006594-6103156261814825425-868248950-2824211717278326421832223048852504205"
1⤵
PID:4900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1259874740-470500474-1607561255-2882981661954419610-1726503674-1617602196-1267499416"
1⤵
PID:5436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1985432668-1698507989-19134772714309982281232702719-2118451833-27980807-959972444"
1⤵
PID:5496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8976891762070084351-995585559420380119927717605431326092-1812342152-432329328"
1⤵
PID:4180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1363692661-13700570181710730629-1630647664-479780251484344844-9161301-1509880743"
1⤵
PID:5652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13726895801140868737-3585721362070611399-5548628671865495808-199357082-738201091"
1⤵
PID:5876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
127KB

MD5
df8f848e7bb845f99913155be32d5e9f

SHA1
7c616f34bf1ef6dd90cac04c5acb3714adb61905

SHA256
b9799b1e79aa1405bdd04a71d03e9de29b8c5ff6425beca8534f6f1fe8658173

SHA512
7ca9950c512082fa560c3fed5b4f96f6b710f0b5a32747e6c1510f826d5a3c89bdc406ff50bf278b5324805cff4a6723b54f93095cfdd79b2a8b81e07adfe4cf

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
307d32552bc5f9e92be0a8af1c24d142

SHA1
e2c761db8d049cfea544653d8795817b63ed71f6

SHA256
662f838a86d4d7b36083452a78be37ae44361deb358c5d1083b14fead00b4e88

SHA512
a1c0c8d4edbb19a249cefc05cb80f04a886a012eed909d6fa39eca94fa6ed5d943cace0e86732ff330ca1809d7c2999e76796a7ba1cf4755f631baf463786643

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\01428ce4113dc16b028db712cc0adbc7_JaffaCakes118.exe

Filesize
50KB

MD5
69beac0954c38e170a6db8c50fe6a055

SHA1
2b16d43fa9c5d042a030b9267846cf254d47da75

SHA256
2f850319eb8dcefbd7d7c2f405c9b5a9e76ca7ebda34751017e2f23c01a00e8e

SHA512
c219d6d014898394116b1b19ac330143396af470198334f01b2944049b5bb9fe2c5febfcb040ff6ed2e75416908b7089ff0261b7c7c2029a60c3cae8a01666a1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\scdv.exe

Filesize
76KB

MD5
293d9a50328623d5c33eaf85b16fcf65

SHA1
e044b6e13271faac181ad380168dd00fa9aa3498

SHA256
4e585db3c680651f78ae6297a10896a8c4eaddcccfb82baa2352c9170476685e

SHA512
1cf730453bcfa163e0d3a5c32820699e329c32ffd76c998d7cbf6d8933971f42790d7bf1244b6280db7c36e1aa81f79b48f2ef6b689e2318750f6c3bdec45b5a

Download Submit
memory/284-447-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/284-442-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/428-417-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/432-116-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/844-384-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/860-398-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/872-509-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/872-573-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/952-187-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/984-312-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/984-354-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1068-567-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1072-431-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1100-413-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1108-167-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1108-234-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1112-266-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1156-381-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/1264-390-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1284-545-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1336-262-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/1376-205-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1388-596-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1388-532-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1496-475-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1508-449-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/1520-391-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1520-436-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1544-182-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1596-90-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1596-219-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1624-589-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1636-441-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1656-638-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1660-236-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-240-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1688-247-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1704-580-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1708-519-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1720-316-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1724-403-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1760-347-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1772-281-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1816-543-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1816-723-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-395-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/1980-111-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/1996-207-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2000-308-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2072-13-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2072-7-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2072-199-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2080-554-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2112-285-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2112-456-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2128-612-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2128-608-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2144-200-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2164-464-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2204-495-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2208-606-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2208-460-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/2232-572-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2256-273-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-339-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2296-515-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2304-230-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2304-226-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2320-235-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/2324-402-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/2332-626-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2348-490-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2348-299-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2356-631-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/2360-563-0x00000000002C0000-0x00000000002E0000-memory.dmp

Filesize
128KB

Download
memory/2380-547-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2380-544-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-277-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2404-220-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2404-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-591-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-588-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2456-411-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2456-359-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2456-412-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2456-360-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2464-498-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2564-366-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2600-480-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2600-479-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2632-483-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2632-335-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2656-270-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-377-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2696-289-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-373-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2716-607-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2736-331-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2864-324-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2956-616-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/3032-320-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/3036-632-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3064-410-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download