Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20/09/2024, 13:57
General
-
Target
edbc403b2fefd3c6726c191f9c1a75a8_JaffaCakes118.exe
-
Size
50KB
-
MD5
edbc403b2fefd3c6726c191f9c1a75a8
-
SHA1
2114fffe8bd4a164804cb206eb6305ab65ac74cc
-
SHA256
9d2e34a055edfaefe95ba0d90b3d2a4a5cefb3279b89ff894c789b8218af12ca
-
SHA512
2ed371b0055c92990e68b4d6853291dfe4782640bd3881108b3a6b8e5110c1cf7581496f2f308d10a9ccf69cb38eef56ee0fa258ffe99762310450d836bef958
-
SSDEEP
768:EMXkE7U60L5jTgc/iPQc0Ic+a+GlKyHu0y3u02qU6E4/IJe/nbcuyD7UIu:EMUYU6U5jUdPQc+n35KZg8/nouy8Iu
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Disables RegEdit via registry modification 64 IoCs
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Checks whether UAC is enabled 1 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\edbc403b2fefd3c6726c191f9c1a75a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\edbc403b2fefd3c6726c191f9c1a75a8_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13404⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13403⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13404⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13403⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe2⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe2⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community2⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13402⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13402⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13402⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1548773517896151064553378311345287046-16841443931052819785-1502189128-836901813"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-58550637376648016-9164796261402699519-1407572751-7544321922122546032-1611892557"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-219180549750810170-13168129691165248120-106051999620314288901497390704-11901433"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-146257113017872652387917879313141485312457090021917925451615473516176985615"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-817904593-879480964-119598401920911040901081285182-1260524830907634106-1340553684"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1656580358752293696-781077783506570036-169716390-12355036387589336611697789206"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1201185563879208988-21707722117490557551565952852398385437573678964141848983"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1625698447330006729-1626934378-1334917888198742180-604210148938765447-466789194"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "991337502-1303824610719627113-13750717071290628336-1466910351-11968409381360982652"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "11753278841478391339523013182-1292707378133380095918070403561264235441720194763"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1399992189-1769348917-1302719401631280451073187496-1206950458841845211-1337201931"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-220658316-1032956015564186084707712986-1638291801-10265894212085423388-1554867916"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-163179239125596510-40815999215764140164254831-7854837206547200271513640553"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2012410748-764173745-13396934281680352950714525522-6443792711530025011-877956534"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1135897716-280417841-563401575-172787277317174950171231180981478113933-1261024516"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1468122169-1995655960-1003699552-745190464-1786031933497723069-808193870-858231356"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2005178632851555438-1915468070-150073066115456061517612952583545756521658429673"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-203174065-1493720390-1477688108-146499654-16978093171530767156-1893387229-1225418303"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1934242892-198291384374644346-1634694090309326309-36529585472098559-202720948"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "589200777-620677762-440807651-1517451242-95049427811466689631908863895-1999699212"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15461089971991822196149982269189067397920309521312015776780-1937842167828656205"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-70813778056337471-1357196084-398292373-1573318019-410751529-915198019751304279"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "779958807-1423386464-164031320344293105811585662941645368247-5674675091329413979"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18412857231683533249-278723556-1949629906-8819220321355716372-1928343732-2039385513"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1788851713524097482-5806603621722466805-748480820-2092889291389531015895460480"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1763599663-1941373844-156538217341706287-1685688208-1519885015-1420136947-600570546"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1168463404-77143985137190601-306770205-16836808161509122254797488704583634208"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
50KB
MD5d04777f4f3a4ad6af7f826ef26a46e2f
SHA1ad1bf23277b9da0991a3c1c65aa10f26b67bb533
SHA256cc84209c21f53ebfcb7e0b82f537e3e5693fa56940f3751dbd10b88c92eaa051
SHA512b8fdb5039868a5c374bf9d4f1952ba784d019e5a369840152a4cd67d01a9c653ba974fdf546bbf9092b50728103ad113ee3a32bcf745148a97fac9db8aa4f2f2
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB