Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-09-2024 05:12
General
-
Target
4031937c9b3984aafad6e51c5c297768d5d0fd8ea39368004ab4ef757fcf2337N.exe
-
Size
55KB
-
MD5
17407514735fa3208b7d6baabd40f110
-
SHA1
5b666b98c3879cb8e521acdb041476d8723d3230
-
SHA256
4031937c9b3984aafad6e51c5c297768d5d0fd8ea39368004ab4ef757fcf2337
-
SHA512
f3fbf7f48a77e8785dc64c2d257fc86f747dc69d3f632097941419e657c2fd5f390841a69112f784530ccc769c9735879bfef0a14c4e5dcd2c0a3fc72e25c0df
-
SSDEEP
1536:E1SdpUqvpSoj3UQWf81J195mdwnouy8w:E1Sd9nUQWQaWout
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 63 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 63 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 63 IoCs
-
UAC bypass 3 TTPs 63 IoCs
-
Disables RegEdit via registry modification 63 IoCs
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 63 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Checks whether UAC is enabled 1 TTPs 63 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4031937c9b3984aafad6e51c5c297768d5d0fd8ea39368004ab4ef757fcf2337N.exe"C:\Users\Admin\AppData\Local\Temp\4031937c9b3984aafad6e51c5c297768d5d0fd8ea39368004ab4ef757fcf2337N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe6⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe5⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe5⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12104⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe4⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12104⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe4⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12103⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe3⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe2⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12104⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe4⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12103⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe3⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe5⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe5⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe9⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe10⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe10⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe10⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe10⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe9⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe11⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe12⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe12⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe12⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe12⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe12⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~12⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121012⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe12⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe12⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe12⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe12⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe12⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe11⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121011⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe11⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe11⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe11⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe11⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe11⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe11⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe11⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe12⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe12⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe12⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe12⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe12⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~12⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121012⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe12⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe12⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe12⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe12⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe12⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe12⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe11⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~11⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies registry class
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe9⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe9⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe8⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe8⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe7⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe6⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe6⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe6⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe6⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe5⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12104⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~4⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12104⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe4⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe3⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~3⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12103⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe3⤵
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe2⤵
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen2⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13402⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13402⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12102⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe2⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ansav.exe /im ansavgd.exe2⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im kspoold.exe /im kspool.exe2⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tati.exe2⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wscript.exe2⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sys.exe2⤵
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1877635017-202732363-32978759642526385056500410-1586024765-1811823235932679584"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1524172944-6189208471956269519-11070745851482882971-1768777591221773263-941520144"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "203885612185385363-1315547245886304676-1915036044-493803077-17020995881392246739"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16569832851742170327-465402004-1976707372-2063857674-341217292-1432841822-170049575"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3888445921580232648300823103-1998330916-141588560585675281487761288607398083"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1188938030-725902051-1977249573-540326269592500141670109199-585688625551258342"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "8169694116485629-564624796-905211561-3796837116730645259344562-445841303"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1534180843-1292778971-224084394-28566444-7166611231628241869438623724-1773714152"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1015663051-1185527274-1421016761-1564410716826397681445697538-1431327021-1033964054"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "173956739218684253371579001401-15096991732124976119191939322-50477012-1168443592"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-662380184621005740-1941711731948462698-1151450401-10345996181750841268390539133"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "870658513-1735252424-170688025774092940-853413910776914391024169537480483217"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "743537592284237754-1296014163-312020479-10848443825027996463594222181901475518"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1597626975639111856864719133-62059791829158543-716632059-1087237575-734943244"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1541003513-1296856330-1346821225-1353594632209768906476861585618455282861889460178"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "5841105492099376397-934531914165708711338365728962930301376763941-233986680"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1444811789362844265-2094349253520559344984348465-1685510571-15789321721538699140"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-219531453840254528110564358-1559420872746210743-8443908931723858114-992849653"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1055710862-1965619600-1765819803-1970127520-503914685200260632327222557613418400"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2111013231-134387070-1158501015201726463417372669101080711470-10344414981061624582"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "20195434361863332270-1830220939-15463510359219625776395715451510524414-1518471332"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "984632352-1731378050488258155710050295-809212022-612425508-1332140959-490604148"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2115051738-11020308471193507538-1760899875824660637108918459-19209004231735855089"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1758950064376016492140288949156342806-617835221181220349989316801-988908470"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1304181160977652296436973477-20481525581076436088-929310989-1393904242-1834431511"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2340494384822369-1149805636-807064417-804550157-922361925-4490628431032468878"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-873212176-15678106042087473046540286706-1323786430-106891392916575448121566124476"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-179596169913660317781542934950-6687071071267702113-76564207657615229-1533394277"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1420883458266985731-1723830882845134177-600999348-1428016611068198138986426192"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-939069995473771986-648192372-1862718596-1900825069-1034717094-1280603223325539278"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1055162969-21093698881819767096-20829634787546510314635965062341364741676004098"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18553541208002925045912129734443694-43510106717359654941907447754-131081465"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1768952887-1216846521-511258528433518424-5091113-218340150-1658150839-542769344"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-68985015110851342301614436821235064221-2793712981993958879-906384359625380552"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1319542776-374779536-201854105-19520884461806047129213032446435941551-1834574271"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "11573009114273438931953273978173711576289553032-10773299041299986944-871663348"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "7610371726774550851175529452124394918-443814579-998571805-7058285111613091680"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1848563278-2085514391-14301517461518725451-1425913576983711547-1568775485-302085508"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "87815547196287321420115022231735094895-1898022356-2138225762-347980276-147623974"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18907241857973838581909483099735950477-13690570121246862431663582051-2000849402"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1818859854808423512503421532-886790308-440990791991879394-577834217-9990852"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-6533346444148975513052353286024774518326543303821419191097142863-1066106418"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-41035436886327610172413775-1156543389-134631024949238909715907553991069958766"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1531388419-391144472-828222019-847192164436351091-354337294-792189433-961857405"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1417406607-979855050985002198127802820121124398131176529483-209420418904962626"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18300858573854809888281702151691302330204723346-10004433731115612472-43925511"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-784035048-166413864605808361-4426283801021084200393762534-740277760-1918157851"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "13748996392074070672-1561623137-2368408931948395563-15980352191640498882-1756651518"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-916975563470526142-11253668641108105842-606473116-584831953-13403535-1075806926"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "774006502-2863635-1816695385-1451875601815135973-2382396851714675006-1079434491"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "84529260591459527-27170542-2070026891307457297-780346125-422545310328856207"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1722634662-995540447-999756472408522664441298382-44575206-955114183-1414064173"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "177500075213877243302032429380-5513647531798542202116808054-1221833850-1800122245"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19594609774823721941928974021-360423251-1017576982-1197481645-583816796-1334282575"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1907233374120138907-1261196043-1555015073-1027260214-1451039752222337661200243880"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-416285399-534111620-684559483951220153-712674034-1064608621-42667482-369437682"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2046315201-11933148161157380301438152531497124471-424415377-1130814212-577989565"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "19666024291527880700-10506877457865442371066472003-6536888571664579739807800829"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2060850252-1686262195888266941197589573511328163832453264231395895911-907529024"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-56951438-83136339982151280-1026603915-16871738801443344199-857672961-1093971400"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-71626335011971764281566559219-1543804545-411394693197880461019988798041384972949"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16367289091494934093834341373-2599520171739912258-8231710201740414712581836142"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3166635777452979701011077429-500401660-1646895864-14472521481979191931-1795696615"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "130013592317728958391239992108-971920088859806780-18530282681935875540-1662848403"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-810967694-1392449041-1600690530-377230635-52650606611752453-253057474255062947"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-875395964-194580197-385377124-1351498947-4163081972936607011564974133748135341"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "533111701-1449010153-6145462181920411695-588568513-2032129571995671129-1307670182"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13687738761789858536-793312233296053507-1655228426-16989124224312076821845572259"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1081799647412538109953756887-1932699036-968161701965139161-1865988771-253364298"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1832934337-593934997-150987771514144556852063196247-7647986351634069905130988712"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "901552782749876552-1071473335314904761-1926273215-1417205581954079775227118233"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "19417532861800426011-63881024-3994569599829682-181040835-10952864-736671004"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "343375111110908640915786371843300053697270106-170164349521353796-553271549"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "526777096-348881312-8798732549007643991616172051098502598322065531789290245"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1036653428481549619-1785105592107379096915960303065579953901467683160-109476085"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-135773667020107692881823518469-1604674932884823138-680730464227433011-853274050"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-546479273-74463076113530039921132111932792241125513701113167071831767385568"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
55KB
MD590d669d18aae53d7bc29faeb4039bae2
SHA104e27a3aecbc12b7304da307794b8e272d29ae35
SHA25663148dfc65162ecc7265ecb827763ea59e00494dcdb14b56fd9960fed30725ed
SHA51268e03dff8ee79798fdfc60e2c66bcfa838acd045cce73f764645afe49160f409d80b708dafd845fe1680037b4c27a35b6b794708e01905e55a22d1fb61031456
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB