75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Size

127KB
MD5

e673826d4aab0000086152f00d9e3940
SHA1

3b2b6fb5f069fa763ffdf03832d4fb06d6ea4f43
SHA256

75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13
SHA512

c87b78964e5eca75b4beeedfd51cb3275c01443d33a66c3f44cb9d4d67b48247563fb36d18fe495462da88a86b7b6c2e567863b1b2cbabf1bcdc3bb9d66927f2
SSDEEP

1536:Xamlu3hbBGy3G8nhMpD7MUYU6U5jUdPQc+n35KZg8/nouy8Iu:XreMPd/MYjUtQl78vout

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 42 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 44 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	vcha.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 42 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe

Disables RegEdit via registry modification 42 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	services.exe

Executes dropped EXE 64 IoCs

pid	Process
2560	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
2712	csrss.exe
2776	csrss.exe
1836	csrss.exe
2660	csrss.exe
3028	vcha.exe
1988	smss.exe
2496	smss.exe
2656	csrss.exe
2064	csrss.exe
2684	smss.exe
2020	smss.exe
2556	lsass.exe
2196	lsass.exe
1148	csrss.exe
300	csrss.exe
2364	smss.exe
2988	smss.exe
496	lsass.exe
2972	lsass.exe
1564	services.exe
600	services.exe
748	csrss.exe
564	csrss.exe
3056	smss.exe
1828	smss.exe
1536	lsass.exe
988	lsass.exe
2124	services.exe
3044	services.exe
888	winlogon.exe
1728	winlogon.exe
1612	csrss.exe
1848	csrss.exe
1040	smss.exe
1628	smss.exe
2312	lsass.exe
2548	lsass.exe
2912	services.exe
2424	services.exe
2144	winlogon.exe
2780	winlogon.exe
2824	Paraysutki_VM_Community
2756	Paraysutki_VM_Community
3016	winlogon.exe
1924	winlogon.exe
2432	csrss.exe
3000	csrss.exe
2888	smss.exe
1336	smss.exe
2280	lsass.exe
2108	lsass.exe
1292	services.exe
1256	services.exe
2684	csrss.exe
1008	csrss.exe
1104	smss.exe
1268	smss.exe
2948	lsass.exe
624	lsass.exe
1632	services.exe
2044	services.exe
1488	winlogon.exe
1748	winlogon.exe

Loads dropped DLL 64 IoCs

pid	Process
2380	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
2380	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
2560	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
2560	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
2712	csrss.exe
2712	csrss.exe
2712	csrss.exe
2776	csrss.exe
2776	csrss.exe
2776	csrss.exe
1836	csrss.exe
1836	csrss.exe
1836	csrss.exe
2660	csrss.exe
1836	csrss.exe
1836	csrss.exe
2776	csrss.exe
2776	csrss.exe
1988	smss.exe
1988	smss.exe
1988	smss.exe
2496	smss.exe
2496	smss.exe
2496	smss.exe
2656	csrss.exe
2656	csrss.exe
2656	csrss.exe
2064	csrss.exe
2496	smss.exe
2496	smss.exe
2684	smss.exe
2684	smss.exe
2020	smss.exe
2496	smss.exe
2496	smss.exe
2556	lsass.exe
2556	lsass.exe
2556	lsass.exe
2196	lsass.exe
2196	lsass.exe
2196	lsass.exe
1148	csrss.exe
1148	csrss.exe
300	csrss.exe
2196	lsass.exe
2196	lsass.exe
2364	smss.exe
2364	smss.exe
2988	smss.exe
2196	lsass.exe
2196	lsass.exe
496	lsass.exe
496	lsass.exe
2972	lsass.exe
2196	lsass.exe
2196	lsass.exe
1564	services.exe
1564	services.exe
1564	services.exe
600	services.exe
600	services.exe
600	services.exe
748	csrss.exe
748	csrss.exe

Modifies system executable filetype association 2 TTPs 44 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	vcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	vcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe

Checks whether UAC is enabled 1 TTPs 42 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	vcha.exe
File opened (read-only)	\??\N:	vcha.exe
File opened (read-only)	\??\S:	vcha.exe
File opened (read-only)	\??\E:	vcha.exe
File opened (read-only)	\??\G:	vcha.exe
File opened (read-only)	\??\O:	vcha.exe
File opened (read-only)	\??\P:	vcha.exe
File opened (read-only)	\??\V:	vcha.exe
File opened (read-only)	\??\Z:	vcha.exe
File opened (read-only)	\??\B:	vcha.exe
File opened (read-only)	\??\I:	vcha.exe
File opened (read-only)	\??\L:	vcha.exe
File opened (read-only)	\??\Q:	vcha.exe
File opened (read-only)	\??\U:	vcha.exe
File opened (read-only)	\??\W:	vcha.exe
File opened (read-only)	\??\X:	vcha.exe
File opened (read-only)	\??\H:	vcha.exe
File opened (read-only)	\??\K:	vcha.exe
File opened (read-only)	\??\M:	vcha.exe
File opened (read-only)	\??\R:	vcha.exe
File opened (read-only)	\??\T:	vcha.exe
File opened (read-only)	\??\Y:	vcha.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	vcha.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	vcha.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	vcha.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	vcha.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	vcha.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	vcha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paraysutki_VM_Community
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2960	ping.exe
1056	ping.exe
2020	ping.exe
3900	ping.exe
7116	ping.exe
8124	ping.exe
2316	ping.exe
1068	ping.exe
572	ping.exe
3344	ping.exe
7100	ping.exe
7904	ping.exe
2744	ping.exe
448	ping.exe
5168	ping.exe
6124	ping.exe
3584	ping.exe
4712	ping.exe
5164	ping.exe
7268	ping.exe
1588	ping.exe
6580	ping.exe
8132	ping.exe
564	ping.exe
3888	ping.exe
4440	ping.exe
6672	ping.exe
6800	ping.exe
3060	ping.exe
3868	ping.exe
4192	ping.exe
5324	ping.exe
2624	ping.exe
6232	ping.exe
1864	ping.exe
6168	ping.exe
4680	ping.exe
2476	ping.exe
5100	ping.exe
2852	ping.exe
624	ping.exe
4040	ping.exe
6892	ping.exe
2108	ping.exe
3984	ping.exe
4448	ping.exe
4840	ping.exe
6000	ping.exe
6280	ping.exe
4092	ping.exe
3268	ping.exe
5180	ping.exe
5764	ping.exe
5772	ping.exe
4228	ping.exe
4924	ping.exe
7296	ping.exe
2768	ping.exe
3460	ping.exe
5160	ping.exe
6680	ping.exe
6212	ping.exe
1712	ping.exe
2040	ping.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	vcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	vcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	vcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	vcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	vcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	vcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	vcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	vcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	vcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	vcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	vcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	vcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
6672	ping.exe
448	ping.exe
4228	ping.exe
5772	ping.exe
6892	ping.exe
2092	ping.exe
6680	ping.exe
6812	ping.exe
6168	ping.exe
7600	ping.exe
600	ping.exe
2136	ping.exe
5188	ping.exe
5348	ping.exe
1104	ping.exe
3488	ping.exe
3480	ping.exe
3984	ping.exe
7608	ping.exe
2476	ping.exe
3888	ping.exe
3900	ping.exe
5180	ping.exe
6264	ping.exe
7268	ping.exe
3800	ping.exe
4092	ping.exe
4948	ping.exe
5556	ping.exe
1588	ping.exe
4712	ping.exe
4132	ping.exe
2768	ping.exe
4516	ping.exe
6280	ping.exe
6580	ping.exe
3824	ping.exe
8140	ping.exe
8132	ping.exe
2040	ping.exe
3328	ping.exe
4440	ping.exe
6300	ping.exe
4680	ping.exe
5160	ping.exe
6112	ping.exe
6232	ping.exe
1864	ping.exe
1056	ping.exe
572	ping.exe
3860	ping.exe
2108	ping.exe
3344	ping.exe
4432	ping.exe
5988	ping.exe
1916	ping.exe
748	ping.exe
2960	ping.exe
1600	ping.exe
6016	ping.exe
5816	ping.exe
7880	ping.exe
7896	ping.exe
3012	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
888	winlogon.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe
1564	services.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2708	rundll32.exe
2732	rundll32.exe
1732	rundll32.exe
1720	rundll32.exe
2728	rundll32.exe
2760	rundll32.exe
552	rundll32.exe
2684	rundll32.exe
2204	rundll32.exe
2284	rundll32.exe
3512	rundll32.exe
3760	rundll32.exe
3416	rundll32.exe
3932	rundll32.exe
3260	rundll32.exe
3120	rundll32.exe
3140	rundll32.exe
4272	rundll32.exe
4148	rundll32.exe
4424	rundll32.exe
5004	rundll32.exe
4732	rundll32.exe
5012	rundll32.exe
784	rundll32.exe
4692	rundll32.exe
5948	rundll32.exe
2560	rundll32.exe
5644	rundll32.exe
5708	rundll32.exe
5872	rundll32.exe
5608	rundll32.exe
6216	rundll32.exe
6852	rundll32.exe
6180	rundll32.exe
6588	rundll32.exe
7048	rundll32.exe
6712	rundll32.exe
7052	rundll32.exe
7096	rundll32.exe
7536	rundll32.exe
7836	rundll32.exe
8080	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2380	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
2560	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
2712	csrss.exe
2776	csrss.exe
1836	csrss.exe
2660	csrss.exe
3028	vcha.exe
1988	smss.exe
2496	smss.exe
2656	csrss.exe
2064	csrss.exe
2684	smss.exe
2020	smss.exe
2556	lsass.exe
2196	lsass.exe
1148	csrss.exe
300	csrss.exe
2364	smss.exe
2988	smss.exe
496	lsass.exe
2972	lsass.exe
1564	services.exe
600	services.exe
748	csrss.exe
564	csrss.exe
3056	smss.exe
1828	smss.exe
1536	lsass.exe
988	lsass.exe
2124	services.exe
3044	services.exe
888	winlogon.exe
1728	winlogon.exe
1612	csrss.exe
1848	csrss.exe
1040	smss.exe
1628	smss.exe
2312	lsass.exe
2548	lsass.exe
2912	services.exe
2424	services.exe
2144	winlogon.exe
2780	winlogon.exe
2824	Paraysutki_VM_Community
2756	Paraysutki_VM_Community
3016	winlogon.exe
1924	winlogon.exe
2432	csrss.exe
3000	csrss.exe
2888	smss.exe
1336	smss.exe
2280	lsass.exe
2108	lsass.exe
1292	services.exe
1256	services.exe
2684	csrss.exe
1008	csrss.exe
1104	smss.exe
1268	smss.exe
2948	lsass.exe
624	lsass.exe
1632	services.exe
2044	services.exe
1488	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2560	2380	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe	30
PID 2380 wrote to memory of 2560	2380	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe	30
PID 2380 wrote to memory of 2560	2380	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe	30
PID 2380 wrote to memory of 2560	2380	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe	30
PID 2560 wrote to memory of 2712	2560	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe	31
PID 2560 wrote to memory of 2712	2560	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe	31
PID 2560 wrote to memory of 2712	2560	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe	31
PID 2560 wrote to memory of 2712	2560	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe	31
PID 2712 wrote to memory of 2776	2712	csrss.exe	32
PID 2712 wrote to memory of 2776	2712	csrss.exe	32
PID 2712 wrote to memory of 2776	2712	csrss.exe	32
PID 2712 wrote to memory of 2776	2712	csrss.exe	32
PID 2776 wrote to memory of 1836	2776	csrss.exe	33
PID 2776 wrote to memory of 1836	2776	csrss.exe	33
PID 2776 wrote to memory of 1836	2776	csrss.exe	33
PID 2776 wrote to memory of 1836	2776	csrss.exe	33
PID 1836 wrote to memory of 2660	1836	csrss.exe	34
PID 1836 wrote to memory of 2660	1836	csrss.exe	34
PID 1836 wrote to memory of 2660	1836	csrss.exe	34
PID 1836 wrote to memory of 2660	1836	csrss.exe	34
PID 1836 wrote to memory of 3028	1836	csrss.exe	35
PID 1836 wrote to memory of 3028	1836	csrss.exe	35
PID 1836 wrote to memory of 3028	1836	csrss.exe	35
PID 1836 wrote to memory of 3028	1836	csrss.exe	35
PID 2776 wrote to memory of 1988	2776	csrss.exe	36
PID 2776 wrote to memory of 1988	2776	csrss.exe	36
PID 2776 wrote to memory of 1988	2776	csrss.exe	36
PID 2776 wrote to memory of 1988	2776	csrss.exe	36
PID 1988 wrote to memory of 2496	1988	smss.exe	37
PID 1988 wrote to memory of 2496	1988	smss.exe	37
PID 1988 wrote to memory of 2496	1988	smss.exe	37
PID 1988 wrote to memory of 2496	1988	smss.exe	37
PID 2496 wrote to memory of 2656	2496	smss.exe	38
PID 2496 wrote to memory of 2656	2496	smss.exe	38
PID 2496 wrote to memory of 2656	2496	smss.exe	38
PID 2496 wrote to memory of 2656	2496	smss.exe	38
PID 2656 wrote to memory of 2064	2656	csrss.exe	39
PID 2656 wrote to memory of 2064	2656	csrss.exe	39
PID 2656 wrote to memory of 2064	2656	csrss.exe	39
PID 2656 wrote to memory of 2064	2656	csrss.exe	39
PID 2496 wrote to memory of 2684	2496	smss.exe	40
PID 2496 wrote to memory of 2684	2496	smss.exe	40
PID 2496 wrote to memory of 2684	2496	smss.exe	40
PID 2496 wrote to memory of 2684	2496	smss.exe	40
PID 2684 wrote to memory of 2020	2684	smss.exe	41
PID 2684 wrote to memory of 2020	2684	smss.exe	41
PID 2684 wrote to memory of 2020	2684	smss.exe	41
PID 2684 wrote to memory of 2020	2684	smss.exe	41
PID 2496 wrote to memory of 2556	2496	smss.exe	42
PID 2496 wrote to memory of 2556	2496	smss.exe	42
PID 2496 wrote to memory of 2556	2496	smss.exe	42
PID 2496 wrote to memory of 2556	2496	smss.exe	42
PID 2556 wrote to memory of 2196	2556	lsass.exe	43
PID 2556 wrote to memory of 2196	2556	lsass.exe	43
PID 2556 wrote to memory of 2196	2556	lsass.exe	43
PID 2556 wrote to memory of 2196	2556	lsass.exe	43
PID 2196 wrote to memory of 1148	2196	lsass.exe	44
PID 2196 wrote to memory of 1148	2196	lsass.exe	44
PID 2196 wrote to memory of 1148	2196	lsass.exe	44
PID 2196 wrote to memory of 1148	2196	lsass.exe	44
PID 1148 wrote to memory of 300	1148	csrss.exe	45
PID 1148 wrote to memory of 300	1148	csrss.exe	45
PID 1148 wrote to memory of 300	1148	csrss.exe	45
PID 1148 wrote to memory of 300	1148	csrss.exe	45

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
"C:\Users\Admin\AppData\Local\Temp\75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
  C:\Users\Admin\AppData\Local\Temp\75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2560
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Checks whether UAC is enabled
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2776
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcha.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\vcha.exe" csrss
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3028
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2496
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2196
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:496
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2732
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2768
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2708
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2476
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:1916
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1924
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1256
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1732
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:748
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1720
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1864
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:2092
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2728
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:1408
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:316
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        System policy modification
        
        PID:2084
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:616
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:1632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2760
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:1600
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:552
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:572
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        System policy modification
        
        PID:1012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:2004
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:356
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:972
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2684
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1588
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2204
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2040
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:1104
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2284
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:2136
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2108
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:3012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:1740
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3248
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3512
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3760
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:3800
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:3824
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3132
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:784
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3416
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:3480
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:3488
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3932
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3984
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4092
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3260
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:3328
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3344
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:784
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3120
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3900
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3888
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        5⤵
        
        PID:3820
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3908
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:3080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3140
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:3860
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4272
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:4432
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4440
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4448
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        5⤵
        
        PID:4456
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4560
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4324
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4732
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:784
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:4516
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:3820
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        
        PID:4600
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4244
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:4552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5460
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5664
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5948
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:5988
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:6016
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2560
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:5348
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5160
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        System policy modification
        
        PID:5684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5644
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:6112
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5708
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:5816
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5872
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        System policy modification
        
        PID:5564
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        System policy modification
        
        PID:5960
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5608
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5772
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        Runs ping.exe
        
        PID:5556
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:6216
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:6264
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6280
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:6560
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:6852
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6892
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:6180
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6232
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:6300
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:6588
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6580
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6672
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        System policy modification
        
        PID:6720
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:7052
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:5936
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:7048
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7116
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6276
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:6712
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6680
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:6812
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:7096
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        Suspicious use of FindShellTrayWindow
        
        PID:7052
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6212
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6800
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6168
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7372
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7428
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        Suspicious use of FindShellTrayWindow
        
        PID:7536
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:7600
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:7608
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7680
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:7836
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:7880
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:7896
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7904
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        Drops file in System32 directory
        
        PID:8060
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:8080
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8124
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8132
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:8140
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        5⤵
        
        PID:7092
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:7096
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7268
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        
        PID:7280
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7296
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
    3⤵
    PID:3184
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Modifies system executable filetype association
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      System policy modification
      PID:1072
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        
        PID:1408
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        
        PID:4076
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        
        PID:3320
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        5⤵
        
        PID:3140
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        
        PID:3988
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        5⤵
        
        PID:1716
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        
        PID:3988
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        Modifies registry class
        System policy modification
        
        PID:1988
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4148
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4228
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:4256
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4424
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4680
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        
        PID:4696
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4712
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    PID:4688
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Event Triggered Execution: Image File Execution Options Injection
      Modifies system executable filetype association
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      System policy modification
      PID:4764
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        
        PID:4820
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        
        PID:4944
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        System policy modification
        
        PID:4968
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5004
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:4132
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        5⤵
        
        PID:4248
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        5⤵
        
        PID:4504
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        
        PID:4556
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        
        PID:2896
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        5⤵
        
        PID:4956
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5012
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4192
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:4948
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        5⤵
        
        PID:3912
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      4⤵
      PID:4872
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    PID:4792
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5048
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4692
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5168
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5180
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:5188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1818496215-968802290-856047379-671997172-1885651694-1254912632485369724-1060803665"
1⤵
PID:1492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8384921272175119671922261080-8741887661006558928444190591-51782716-183129370"
1⤵
PID:2120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-321841906-18725865051441250147-813439364-16098960601954408751194562095231254597"
1⤵
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "220601774-10765333771667511930-16112503-1458693139-1269012290-797372423895268481"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6897176812074039174-311757091381798871-210137253-117630776-1520308468-1681283514"
1⤵
PID:3316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-196685086-358441539492827309-1470456012876723607-458201626-1380740351-597018357"
1⤵
PID:3112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1778845732-12285495801087437552-20027352781458331304880733689-8967269781857292541"
1⤵
PID:4084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-336141439-1637905368-1458329077-238495908-855310331307622883-3980552671899264841"
1⤵
PID:3896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "125111467-6194007471474224795935220569253318989-916511455-577796217-226730862"
1⤵
PID:5076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1223459778691004693-368644222-1157930725-136681798917003952431655338430-1643177624"
1⤵
PID:4784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1499253011-39216343832575455-1901365949-11309105901340158894693510571-2002173199"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "405950293781832109-1992737024-274661502-1565781506677705645-10430454081997824921"
1⤵
PID:3908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1126550229-10602950561322903188-481020325-98352359615152542231686429241-1991478253"
1⤵
PID:4884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1933616158-254848748-16898908774323311-408922966406938594-808371091644462031"
1⤵
PID:4324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-870172445495661933342018661-5842621521815763934340904612-1939257102-153395369"
1⤵
PID:5336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-334773151-1827601024413389182282141427-21022236656899319411721732279-2045073807"
1⤵
PID:5292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "599363240-17863675747073274911570082479-1340705629288402391401041731710066988"
1⤵
PID:5500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "820038259-283236912170542415189145582098870295911045167861975848778-582939253"
1⤵
PID:5516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11336699906264521272112078538-533832591-18473881182053576065-17868479171163386851"
1⤵
PID:6656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18442053893236174920074113461544573157203989139916923486-293763032-2098044901"
1⤵
PID:6684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1864331604635302175673270767-664987638658211626-1668402164301120541-377983296"
1⤵
PID:7084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1840230730165000793-170488765614732465011792566631-98206336-682177945-290473714"
1⤵
PID:7040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "747675177186872260513860731001360393868168937492219127655631023167235-2020723650"
1⤵
PID:6820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-826250700-26466157461499715-1649884569903623783-353201713-116152261648825147"
1⤵
PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
127KB

MD5
c0836329a00f7ad040b2b4be2192e733

SHA1
912fc18a6db1889fa02d2100c5ec6e5639a3c845

SHA256
f453a2e104208f1eb97a478eeb4b7e16746f99481c34b6474be36bf111909ee7

SHA512
251ec0d0d5f574854cb66afdc502e55ba6be72d36e468b80e65153f9efdc3759edd4e8866787fe38dc0c3ee5bd0973f3fe260ee1e3d26c536ae2f473389f103d

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\75b9d7a1cb7be0b867b5689bf9737812948669dc2d2ae65e6f78b899b13e5e13N.exe

Filesize
50KB

MD5
69beac0954c38e170a6db8c50fe6a055

SHA1
2b16d43fa9c5d042a030b9267846cf254d47da75

SHA256
2f850319eb8dcefbd7d7c2f405c9b5a9e76ca7ebda34751017e2f23c01a00e8e

SHA512
c219d6d014898394116b1b19ac330143396af470198334f01b2944049b5bb9fe2c5febfcb040ff6ed2e75416908b7089ff0261b7c7c2029a60c3cae8a01666a1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\vcha.exe

Filesize
76KB

MD5
9ba66660279d20bd3756108eb3259476

SHA1
b07a5ca146b5ad272f24068fd284d7271689d3b2

SHA256
40acc50f320247ec83501cab2952f7c1a1a38c52be84bb455f137ded064128d8

SHA512
dd73906418d37ba78a830ba2b76a6d25c3a449f3ade130c5be918a49c562a24b3fe091cffb2f2a934840bf750cf5375556e34d35e4dbf9ca3780352a92884398

Download Submit
memory/300-228-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/300-232-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/316-473-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/332-490-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/356-639-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/496-244-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/564-269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/600-302-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/600-355-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/616-498-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-412-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/748-265-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/888-300-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/888-301-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/888-338-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/972-648-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/988-284-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1008-397-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1012-619-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1104-401-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/1148-226-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/1212-523-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1212-635-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/1212-560-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1256-425-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1256-595-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1256-434-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1268-405-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1292-387-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1292-424-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1360-530-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/1408-494-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1408-679-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1536-280-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/1616-552-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1628-318-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1632-416-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/1632-571-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1632-562-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-346-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-339-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1748-429-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1752-438-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/1784-580-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1800-631-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1828-276-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1836-107-0x0000000001B90000-0x0000000001BB0000-memory.dmp

Filesize
128KB

Download
memory/1848-311-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1884-566-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1924-393-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1924-447-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1988-220-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1988-165-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1988-164-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2020-206-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2044-420-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2064-188-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2084-577-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2084-524-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2100-612-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2100-556-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2108-383-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2132-522-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2132-481-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2196-457-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2196-259-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2196-219-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2212-477-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2240-561-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2280-380-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2312-322-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download
memory/2356-537-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/2364-236-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2380-7-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/2380-167-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/2392-442-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-602-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2424-334-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2432-366-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/2480-505-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2496-227-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2520-606-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2520-545-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2520-643-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2548-326-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2556-258-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/2556-218-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/2560-181-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2660-113-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2684-200-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2712-183-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2756-627-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/2776-199-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2780-342-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2888-373-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/2912-330-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2948-409-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2956-512-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-248-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2988-240-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3008-623-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3016-357-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/3044-290-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3060-541-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3068-548-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3164-720-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3424-762-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download