Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/09/2024, 18:05
General
-
Target
d6d752736b30cf664e20502f2f721493_JaffaCakes118.exe
-
Size
127KB
-
MD5
d6d752736b30cf664e20502f2f721493
-
SHA1
40a227e2a8f878f074e25901e4de16715367bcf6
-
SHA256
c69c2775859bb48f943da1f1045b5df86333aac52ec22ace2a4b4c98f5d6e106
-
SHA512
043a8226de1cca1f7922bfe974f8a1d2aee5c0b2621c294dd6cf42a0d0c33d8857ad06d3ff88b277bdd6b6aa8be7ff8f6d13cd18ec93399a22ed59ccae2c6b2f
-
SSDEEP
1536:Onqdu3rbBGy3G8V0iuoKYMUYU6U5jUdPQc+n35KZg8/nouy8Iu:OqYMPsLMYjUtQl78vout
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Disables RegEdit via registry modification 64 IoCs
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Checks whether UAC is enabled 1 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 35 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6d752736b30cf664e20502f2f721493_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d6d752736b30cf664e20502f2f721493_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d6d752736b30cf664e20502f2f721493_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d6d752736b30cf664e20502f2f721493_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\wdsp.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\wdsp.exe" csrss6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modifies system executable filetype association
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵
- UAC bypass
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
- Modifies WinLogon for persistence
- UAC bypass
- Modifies system executable filetype association
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modifies system executable filetype association
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Drops file in System32 directory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
- Modifies WinLogon for persistence
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
- Modifies visibility of file extensions in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe17⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community17⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134017⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community17⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134017⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Modifies WinLogon for persistence
- UAC bypass
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe18⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community17⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134017⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe18⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community17⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134017⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe18⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community17⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134017⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
- Modifies WinLogon for persistence
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe18⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe18⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe19⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe20⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe19⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe20⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe19⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe20⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe19⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe20⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe19⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe20⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community19⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen19⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134019⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134019⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134019⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe4⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13403⤵
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15562368271435685876614888467-1584633802620382851-7871868001708489580-74845983"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3164684741219798828-18474978761211111635-1856005978-1915474422-1829744402051295179"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "349694870-336062950-21363565212149642142130131826-157116940-2117127691-734659803"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "853012528935487678-1076306397-1850723724-160939762610605882671335205535-1522892604"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "630543973706638651-1514451033613913772-19816304861820313383-70938220-1660212233"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1172227599-1872492188-13889905151901276580-79545924851162455-408077675942052277"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-24476770-2036330692-870190558-574806865-11257727171892872546532115424887324601"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "933225415-1732797975-1812054816-1740555456-1041309227-17674091517949116341374044772"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-279519460-300142632-1147720139-1861468273-17207126331213760191-336699997-93028673"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-246755295-1781454598-1335585254-1443379571208747237110677219751486019136-237505738"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1501483306-1116215005-1676670746-1278449362441374063-857822307-1713626943351526995"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-7251468361572221628-114348023914813204741381558599-789535570-501014786-265286134"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-774168781655706258-196869125-1271845077173339284115941196771773691471940945436"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "11927257591964584501-11478395828877504011297655766400232847-7427317131450441122"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1377510934-9471142961991826203-2030861712-11888126241439793723162143003252644550"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10483805321649678525-1414411366613131031-942534327-1869881839-1528697477803992060"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "79394989611689669631989270724-1624000399-1071560922-2106024989-1832395133-426089835"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2089426034-471511307-47191968-767142155361424042332488411594460531843044751"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "20515858521691724300-15782942971672446150-849946657-190920232-542220019-161797494"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-770648485-649241377-10754923849241841302141419126-1378703218-1328648801102092040"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "54301363713197317445127293441859260618568825023-19428672901012049350-17725639"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-447926220-1735770441744400298-1037477750570319760933670705-1791174473-438536015"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11599145801825242786154669569-910787296-5656463361640733015-725841322646871121"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-21335585562826316382058834788-12791548861776285536117216934-14291991341659386040"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1335416882-567080073-749583096-687691764-12669387441645917243-13501392211729323538"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1739630915-1695943749477829731586148011-1773540893-1320219881-1422626131823889432"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-438249768-905344565-929799390-1483461939-1511141865144043837801226613-2067474441"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1806408777691549461-14608188021721360557-1186752072302555278-1804584439-570437713"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-943515276-1490155967667389367708226969-1194193353-1964006607-443502435-1695074947"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-189578902530986631851808355-11018452161013839401-1353247452570016728419736485"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "84346534-18651061556764437851392513284-1735518422214583595-951421560179440152"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-97224955078475388-262768760137897750590400495-105268763114040031371803690591"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "191763246111946703922103552071184003647620755489641360516890-1712757715-1372383238"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "187209613283434066462802076317023297808948393585607477859737346861250317633"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "15823230072554840762117569097-14509507281229868651609158511-19851824642015326302"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1344496572-155556807-896323987-1834768879-2110559033502555709-105705709-1066969964"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16471892242099172564-1042108880363875971-1986029021-1675556810-26099434-415193110"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "455040455-1047325493-17575475342012387464-1763127046-456172728535759909-710179793"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19749738141671891043-9591224601499058171-235707636-1540316590-1429160520-1377680665"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-423265084755441222-1678412217-19817270811702791807-1310636940-1803526614-1255085749"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1666464744-1761285710-882060286369632721-7379468281982949390-177357954726405954"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
127KB
MD574a98207cdbe73085948acd2083ce0c4
SHA1776d3c846eba82e8386f9a1281767ad3b0e4999e
SHA256fbff6ea71068ed0707fc54eda2d47b26a590de714cead6b39c93db8cac9fcdc4
SHA51210057ab7caef39a78c1d786d6f63f64c6280dcc99689d473a25b89e2df22762d6b88247cb5741f4170f63465057dfd749db4f05d774a94a203b89f022dcef6db
-
Filesize
76KB
MD52d55da5a5d84499a7903671ba4166625
SHA1163bd976bb834e827519e22caaa610b1f0fe3f02
SHA256c238aa53a1521fc665236dd6856a0f8ec29bbc5cacdc5a1a41beb9d503c71936
SHA5126d838937dc375ea628c33a909859cdb3fc096518b703a7d9300eb74c10fda9c99265f6102832a149b815caca7f179a14732b8f163036a981b1c6dd6e5171bf75
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
Filesize
76KB
MD5e064be95f2db805ddda8a6602b78a466
SHA19e329e65ca0c0a394b8f7c1d039047f399794c05
SHA25653868659c0667c04ce7672d9bc7824570320b094b9d4465036e2b8cc0196d05f
SHA512e184c8b9dea826f04e08af243db8bcd6c3a37b0d628dffc370f09e4e8c08eeb0a9bb5500da012601ebff64cfc2dbe6bab04db19a2eaac14f508c74727d7a3ff4
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB