Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 08:48
Static task
static1
Behavioral task
behavioral1
Sample
d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe
Resource
win10v2004-20241007-en
General
-
Target
d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe
-
Size
52KB
-
MD5
d60ad808b8cf228430cc8190b693cada
-
SHA1
a5738bf3e1cdf9ea416de83ac9a204c2b5026d34
-
SHA256
d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f
-
SHA512
ae8c0830c115130efabe19f5c404d301fe390cf36edcc46afaba9535eea8321dbf26ed8e488f21e48cf2e769e9bd2d6aa3a33d405f457803731fa7213d6a2704
-
SSDEEP
1536:HU6JhlQvW4R8ZDW2OsdCj7VhJ/YY5rInouy8rG:HRhlARSOsdwD/98outq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 51 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 51 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
Disables RegEdit via registry modification 51 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe csrss.exe -
Executes dropped EXE 64 IoCs
pid Process 2188 csrss.exe 2860 csrss.exe 2788 smss.exe 2708 csrss.exe 2560 smss.exe 2300 lsass.exe 1636 csrss.exe 2336 smss.exe 712 lsass.exe 2500 services.exe 2000 csrss.exe 1752 smss.exe 1852 lsass.exe 1048 services.exe 1044 winlogon.exe 544 csrss.exe 1408 smss.exe 2376 lsass.exe 408 services.exe 1708 winlogon.exe 1664 ~Paraysutki_VM_Community~ 1192 csrss.exe 1980 smss.exe 1484 lsass.exe 880 services.exe 1476 winlogon.exe 1208 ~Paraysutki_VM_Community~ 704 ~Paraysutki_VM_Community~ 2780 csrss.exe 2816 smss.exe 2732 lsass.exe 2548 services.exe 2076 winlogon.exe 2316 csrss.exe 1200 smss.exe 2024 lsass.exe 2016 services.exe 2460 winlogon.exe 2328 ~Paraysutki_VM_Community~ 2208 ~Paraysutki_VM_Community~ 2268 winlogon.exe 1208 csrss.exe 1552 smss.exe 2580 lsass.exe 2680 services.exe 2544 csrss.exe 2604 smss.exe 2620 lsass.exe 2952 services.exe 1464 winlogon.exe 2480 ~Paraysutki_VM_Community~ 1648 csrss.exe 1272 smss.exe 2336 lsass.exe 2476 services.exe 712 winlogon.exe 1740 ~Paraysutki_VM_Community~ 588 winlogon.exe 2168 ~Paraysutki_VM_Community~ 2716 csrss.exe 268 smss.exe 2024 lsass.exe 2016 services.exe 2472 csrss.exe -
Loads dropped DLL 64 IoCs
pid Process 2204 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 2204 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 2188 csrss.exe 2188 csrss.exe 2188 csrss.exe 2860 csrss.exe 2188 csrss.exe 2188 csrss.exe 2788 smss.exe 2788 smss.exe 2788 smss.exe 2708 csrss.exe 2788 smss.exe 2788 smss.exe 2560 smss.exe 2788 smss.exe 2788 smss.exe 2300 lsass.exe 2300 lsass.exe 2300 lsass.exe 1636 csrss.exe 2300 lsass.exe 2300 lsass.exe 2336 smss.exe 2300 lsass.exe 2300 lsass.exe 712 lsass.exe 2300 lsass.exe 2300 lsass.exe 2500 services.exe 2500 services.exe 2500 services.exe 2000 csrss.exe 2500 services.exe 2500 services.exe 1752 smss.exe 2500 services.exe 2500 services.exe 1852 lsass.exe 2500 services.exe 2500 services.exe 1048 services.exe 2500 services.exe 2500 services.exe 1044 winlogon.exe 1044 winlogon.exe 1044 winlogon.exe 544 csrss.exe 1044 winlogon.exe 1044 winlogon.exe 1408 smss.exe 1044 winlogon.exe 1044 winlogon.exe 2376 lsass.exe 1044 winlogon.exe 1044 winlogon.exe 408 services.exe 1044 winlogon.exe 1044 winlogon.exe 1708 winlogon.exe 1044 winlogon.exe 1044 winlogon.exe 1664 ~Paraysutki_VM_Community~ 1664 ~Paraysutki_VM_Community~ -
Modifies system executable filetype association 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe ~Paraysutki_VM_Community~ File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7444 ping.exe 8284 ping.exe 8932 ping.exe 1144 ping.exe 3404 ping.exe 4808 ping.exe 5140 ping.exe 6356 ping.exe 9064 ping.exe 6060 ping.exe 7232 ping.exe 8948 ping.exe 608 ping.exe 5936 ping.exe 5272 ping.exe 5344 ping.exe 5916 ping.exe 8144 ping.exe 3456 ping.exe 3184 ping.exe 3556 ping.exe 5088 ping.exe 5924 ping.exe 1736 ping.exe 5072 ping.exe 6468 ping.exe 1412 ping.exe 4816 ping.exe 7680 ping.exe 5800 ping.exe 5784 ping.exe 2500 ping.exe 3196 ping.exe 4240 ping.exe 4340 ping.exe 5172 ping.exe 1260 ping.exe 3160 ping.exe 6328 ping.exe 6804 ping.exe 8248 ping.exe 2992 ping.exe 4840 ping.exe 6376 ping.exe 2328 ping.exe 2688 ping.exe 6788 ping.exe 5528 ping.exe 8632 ping.exe 9036 ping.exe 7976 ping.exe 5108 ping.exe 5660 ping.exe 5640 ping.exe 5788 ping.exe 7452 ping.exe 400 ping.exe 776 ping.exe 4056 ping.exe 6016 ping.exe 7344 ping.exe 4544 ping.exe 5312 ping.exe 1044 ping.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main services.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main services.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main lsass.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe -
Runs ping.exe 1 TTPs 64 IoCs
pid Process 6424 ping.exe 1736 ping.exe 1704 ping.exe 3720 ping.exe 4032 ping.exe 4544 ping.exe 5916 ping.exe 8632 ping.exe 9064 ping.exe 2964 ping.exe 712 ping.exe 3480 ping.exe 6696 ping.exe 7216 ping.exe 8264 ping.exe 6336 ping.exe 6376 ping.exe 2840 ping.exe 5108 ping.exe 5172 ping.exe 7712 ping.exe 8460 ping.exe 1536 ping.exe 5088 ping.exe 6788 ping.exe 7096 ping.exe 7704 ping.exe 7992 ping.exe 608 ping.exe 4952 ping.exe 5140 ping.exe 8008 ping.exe 1044 ping.exe 5072 ping.exe 4904 ping.exe 5924 ping.exe 5784 ping.exe 7680 ping.exe 3160 ping.exe 4892 ping.exe 9036 ping.exe 3456 ping.exe 3556 ping.exe 5080 ping.exe 6044 ping.exe 8648 ping.exe 776 ping.exe 5908 ping.exe 6328 ping.exe 5528 ping.exe 8284 ping.exe 7508 ping.exe 7860 ping.exe 400 ping.exe 2024 ping.exe 5424 ping.exe 6404 ping.exe 7444 ping.exe 8144 ping.exe 3184 ping.exe 4364 ping.exe 5160 ping.exe 7436 ping.exe 8960 ping.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 2504 rundll32.exe 1948 rundll32.exe 2332 rundll32.exe 1936 rundll32.exe 1944 rundll32.exe 1976 rundll32.exe 644 rundll32.exe 1708 rundll32.exe 2460 rundll32.exe 1356 rundll32.exe 3408 rundll32.exe 3576 rundll32.exe 3100 rundll32.exe 3336 rundll32.exe 3800 rundll32.exe 4040 rundll32.exe 4060 rundll32.exe 4088 rundll32.exe 4760 rundll32.exe 4920 rundll32.exe 5096 rundll32.exe 4448 rundll32.exe 4620 rundll32.exe 4652 rundll32.exe 4128 rundll32.exe 5868 rundll32.exe 6140 rundll32.exe 5880 rundll32.exe 5544 rundll32.exe 5712 rundll32.exe 5832 rundll32.exe 6216 rundll32.exe 6720 rundll32.exe 6968 rundll32.exe 6156 rundll32.exe 6180 rundll32.exe 7116 rundll32.exe 6872 rundll32.exe 7352 rundll32.exe 7584 rundll32.exe 7864 rundll32.exe 7408 rundll32.exe 8040 rundll32.exe 7468 rundll32.exe 7176 rundll32.exe 8200 rundll32.exe 8576 rundll32.exe 8840 rundll32.exe 9156 rundll32.exe 9108 rundll32.exe 8832 rundll32.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2204 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 2188 csrss.exe 2860 csrss.exe 2788 smss.exe 2708 csrss.exe 2560 smss.exe 2300 lsass.exe 1636 csrss.exe 2336 smss.exe 712 lsass.exe 2500 services.exe 2000 csrss.exe 1752 smss.exe 1852 lsass.exe 1048 services.exe 1044 winlogon.exe 544 csrss.exe 1408 smss.exe 2376 lsass.exe 408 services.exe 1708 winlogon.exe 1664 ~Paraysutki_VM_Community~ 1192 csrss.exe 1980 smss.exe 1484 lsass.exe 880 services.exe 1476 winlogon.exe 1208 ~Paraysutki_VM_Community~ 704 ~Paraysutki_VM_Community~ 2780 csrss.exe 2816 smss.exe 2732 lsass.exe 2548 services.exe 2076 winlogon.exe 2316 csrss.exe 1200 smss.exe 2024 lsass.exe 2016 services.exe 2460 winlogon.exe 2328 ~Paraysutki_VM_Community~ 2208 ~Paraysutki_VM_Community~ 2268 winlogon.exe 1208 csrss.exe 1552 smss.exe 2580 lsass.exe 2680 services.exe 2544 csrss.exe 2604 smss.exe 2620 lsass.exe 2952 services.exe 1464 winlogon.exe 2480 ~Paraysutki_VM_Community~ 1648 csrss.exe 1272 smss.exe 2336 lsass.exe 2476 services.exe 712 winlogon.exe 1740 ~Paraysutki_VM_Community~ 588 winlogon.exe 2168 ~Paraysutki_VM_Community~ 2716 csrss.exe 268 smss.exe 2024 lsass.exe 2016 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2188 2204 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 30 PID 2204 wrote to memory of 2188 2204 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 30 PID 2204 wrote to memory of 2188 2204 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 30 PID 2204 wrote to memory of 2188 2204 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 30 PID 2188 wrote to memory of 2860 2188 csrss.exe 31 PID 2188 wrote to memory of 2860 2188 csrss.exe 31 PID 2188 wrote to memory of 2860 2188 csrss.exe 31 PID 2188 wrote to memory of 2860 2188 csrss.exe 31 PID 2188 wrote to memory of 2788 2188 csrss.exe 32 PID 2188 wrote to memory of 2788 2188 csrss.exe 32 PID 2188 wrote to memory of 2788 2188 csrss.exe 32 PID 2188 wrote to memory of 2788 2188 csrss.exe 32 PID 2788 wrote to memory of 2708 2788 smss.exe 33 PID 2788 wrote to memory of 2708 2788 smss.exe 33 PID 2788 wrote to memory of 2708 2788 smss.exe 33 PID 2788 wrote to memory of 2708 2788 smss.exe 33 PID 2788 wrote to memory of 2560 2788 smss.exe 35 PID 2788 wrote to memory of 2560 2788 smss.exe 35 PID 2788 wrote to memory of 2560 2788 smss.exe 35 PID 2788 wrote to memory of 2560 2788 smss.exe 35 PID 2788 wrote to memory of 2300 2788 smss.exe 36 PID 2788 wrote to memory of 2300 2788 smss.exe 36 PID 2788 wrote to memory of 2300 2788 smss.exe 36 PID 2788 wrote to memory of 2300 2788 smss.exe 36 PID 2300 wrote to memory of 1636 2300 lsass.exe 37 PID 2300 wrote to memory of 1636 2300 lsass.exe 37 PID 2300 wrote to memory of 1636 2300 lsass.exe 37 PID 2300 wrote to memory of 1636 2300 lsass.exe 37 PID 2300 wrote to memory of 2336 2300 lsass.exe 38 PID 2300 wrote to memory of 2336 2300 lsass.exe 38 PID 2300 wrote to memory of 2336 2300 lsass.exe 38 PID 2300 wrote to memory of 2336 2300 lsass.exe 38 PID 2300 wrote to memory of 712 2300 lsass.exe 39 PID 2300 wrote to memory of 712 2300 lsass.exe 39 PID 2300 wrote to memory of 712 2300 lsass.exe 39 PID 2300 wrote to memory of 712 2300 lsass.exe 39 PID 2300 wrote to memory of 2500 2300 lsass.exe 40 PID 2300 wrote to memory of 2500 2300 lsass.exe 40 PID 2300 wrote to memory of 2500 2300 lsass.exe 40 PID 2300 wrote to memory of 2500 2300 lsass.exe 40 PID 2500 wrote to memory of 2000 2500 services.exe 41 PID 2500 wrote to memory of 2000 2500 services.exe 41 PID 2500 wrote to memory of 2000 2500 services.exe 41 PID 2500 wrote to memory of 2000 2500 services.exe 41 PID 2500 wrote to memory of 1752 2500 services.exe 42 PID 2500 wrote to memory of 1752 2500 services.exe 42 PID 2500 wrote to memory of 1752 2500 services.exe 42 PID 2500 wrote to memory of 1752 2500 services.exe 42 PID 2500 wrote to memory of 1852 2500 services.exe 43 PID 2500 wrote to memory of 1852 2500 services.exe 43 PID 2500 wrote to memory of 1852 2500 services.exe 43 PID 2500 wrote to memory of 1852 2500 services.exe 43 PID 2500 wrote to memory of 1048 2500 services.exe 44 PID 2500 wrote to memory of 1048 2500 services.exe 44 PID 2500 wrote to memory of 1048 2500 services.exe 44 PID 2500 wrote to memory of 1048 2500 services.exe 44 PID 2500 wrote to memory of 1044 2500 services.exe 45 PID 2500 wrote to memory of 1044 2500 services.exe 45 PID 2500 wrote to memory of 1044 2500 services.exe 45 PID 2500 wrote to memory of 1044 2500 services.exe 45 PID 1044 wrote to memory of 544 1044 winlogon.exe 46 PID 1044 wrote to memory of 544 1044 winlogon.exe 46 PID 1044 wrote to memory of 544 1044 winlogon.exe 46 PID 1044 wrote to memory of 544 1044 winlogon.exe 46 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe"C:\Users\Admin\AppData\Local\Temp\d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2188 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2788 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2560
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2300 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2336
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:712
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2000
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1752
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1852
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1044 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:544
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1408
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:408
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1708
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1664 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1192
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1980
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1476
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1208
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:2504
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
PID:1536
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1144
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵PID:2120
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:1804
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:904
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:2184
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:2848
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:2180
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵
- System Location Discovery: System Language Discovery
PID:1540
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:1948
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:608
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵PID:1760
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵PID:304
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:1756
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:2636
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:2652
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:2168
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:2768
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:2700
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:704 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2076 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2316
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2460
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:2332
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:400
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵PID:1720
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵PID:1628
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:1356
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:1976
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:1576
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:1028
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:2532
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:2840
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2208
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:1936
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1260
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1412
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵PID:2524
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:2376
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
- System Location Discovery: System Language Discovery
PID:832
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:1672
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:1860
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:2920
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:1964
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
PID:1944
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1736
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
PID:1704
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2992
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵PID:796
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:2420
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:2628
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵PID:1544
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵PID:1684
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵PID:2964
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2268 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1208
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1552
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2580
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2680 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2952
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2480 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1272
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2336
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:712
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1740
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:1976
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵PID:2532
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
PID:2840
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵PID:1004
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:2792
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:1860
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:680
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:2236
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:1428
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:644
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:2964
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
PID:1208
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2500
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:2760
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:2572
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:2816
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:2592
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:2576
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:2560
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:588
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2168 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:268
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2016 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
PID:2472
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:2336
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:1632
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:2284
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:1920
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:2884
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:1708
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:776
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1044
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2688
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:1484
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:2572
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:536
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵
- System Location Discovery: System Language Discovery
PID:2560
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
- System Location Discovery: System Language Discovery
PID:756
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:468
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵PID:1028
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵PID:1416
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:2460
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2328
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵PID:1752
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
PID:712
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:2076
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:2792
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:1428
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:1548
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:2544
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:536
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
PID:1356
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:2024
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵PID:1416
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵PID:1712
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵PID:2276
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:2580
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:2544
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵PID:1600
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵PID:2580
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:2508 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵PID:2336
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵PID:2468
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:3092 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵PID:3136
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵PID:3156
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵PID:3180
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵PID:3204
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
PID:3236 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- System Location Discovery: System Language Discovery
PID:3264
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:3280
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:3304
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- System Location Discovery: System Language Discovery
PID:3332
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:3356
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- System Location Discovery: System Language Discovery
PID:3384
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:3408
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3456
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
PID:3480
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵PID:3488
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:3496
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:3556
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:3568
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:3600
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:3612
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵PID:3464
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:3576
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:3720
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵PID:3728
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵PID:3736
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:3752
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:3800
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:3836
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:3852
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:3868
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:3884
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:3712 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵PID:3820
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵PID:3892
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵PID:3952
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- System Location Discovery: System Language Discovery
PID:4004
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:4020
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:4048
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:4068
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:4092
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:3084
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:3100
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3160
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3196
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3184
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:3224
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:3244
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:3296
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:3316
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:3304
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:3364
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵PID:3188
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵PID:3256
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:3336
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵PID:3548
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3556
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵PID:3568
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:3604
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:3756
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:3808
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:3876
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:3912
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:3916
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵PID:3552
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
PID:3800
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵PID:4016
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵PID:4004
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- Runs ping.exe
PID:4032
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵PID:3252
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:4080
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:468
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵PID:3292
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵PID:3300
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵PID:3316
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
PID:4040
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵PID:3392
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵PID:3416
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3404
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵PID:3168
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵PID:3768
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵PID:3092
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵
- System Location Discovery: System Language Discovery
PID:3696
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵PID:4060
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵PID:4088
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- System policy modification
PID:3256 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵PID:3880
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵PID:4056
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵PID:3168
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵PID:4024
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵PID:4084
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵PID:3084
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
PID:3552 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵PID:3696
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- System Location Discovery: System Language Discovery
PID:3880
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵PID:3108
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵PID:3084
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵PID:3168
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:872 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵PID:3880
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:3316
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:3092
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:3696
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:4056
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- System Location Discovery: System Language Discovery
PID:3528
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4060
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵PID:4084
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
PID:268
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4056
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:3084
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:4108
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:4124
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:4140
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:4160
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:4176
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:4088
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵PID:4224
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4240
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵PID:4248
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:4256
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:4340
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:4356
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:4380
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:4424
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
- System Location Discovery: System Language Discovery
PID:4452
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:4232 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵PID:4348
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵PID:4412
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵PID:4464
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵PID:4528
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:4552 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵PID:4580
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:4608
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:4636
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:4660
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:4708
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- System Location Discovery: System Language Discovery
PID:4732
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:4760
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4808
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4816
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4840
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:4860
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:4884
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:4932
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:4952
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:4972
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:4996
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵PID:4824
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:4920
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5072
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
PID:5080
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5088
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:3084
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:4108
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:4144
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:4280
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:4260
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:4344
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
PID:5096
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
PID:4364
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵PID:4420
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵PID:4428
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵PID:4416
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:4496
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:4548
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵PID:4580
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵PID:4612
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵PID:4636
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵PID:4376
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:4540 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵PID:4644
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- System Location Discovery: System Language Discovery
PID:4724
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:4752 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵PID:4880
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵PID:4884
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵PID:4960
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵PID:4556
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵PID:3120
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:4280 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- System Location Discovery: System Language Discovery
PID:4204
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:4640
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- System Location Discovery: System Language Discovery
PID:4852
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:4996
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:4164
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:4564
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:4620
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4340
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵PID:4548
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4544
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:4404
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:4704
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:4344
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:4704
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:4144
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:4696
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:4128
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5140
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
PID:5160
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5172
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:5196
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:5232
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:5272
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:5332
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:5352
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:5372
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵PID:5148
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵PID:5380
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5448 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵PID:5552
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:5576
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5608 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
- System Location Discovery: System Language Discovery
PID:5644
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
- System Location Discovery: System Language Discovery
PID:5684
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵PID:5732
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:5772
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:5808
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:5840
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:5868
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
PID:5908
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5924
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5936
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵PID:5944
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:5988
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:6028
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:6060
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:6076
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:6084
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- System Location Discovery: System Language Discovery
PID:5916
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:5996
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- System Location Discovery: System Language Discovery
PID:6068
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:6140
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5272
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5344
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- Runs ping.exe
PID:5424
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:4752
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:5444
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:5476
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:5524
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:5544
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:5596
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵PID:4280
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
PID:5488 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵PID:5584
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:5676
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- System Location Discovery: System Language Discovery
PID:5744
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:5784
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:5804
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:5808
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:5880
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5916
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6016
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6060
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:6080
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:6056
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:5612
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:6116
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:4752
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:5480
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵PID:6028
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵PID:6096
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵PID:5372
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:5544
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5660
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5312
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵PID:5648
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:5756
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:5796
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
- System Location Discovery: System Language Discovery
PID:5788
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:5828
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:5804
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:5864
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
PID:5712
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵PID:6084
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
PID:6044
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵PID:6112
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵PID:5432
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:6136
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:5208
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵PID:5528
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵PID:5756
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵PID:5784
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:6000 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5340 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- System Location Discovery: System Language Discovery
PID:5832
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵PID:6028
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵PID:5756
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:5452
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:4752
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- System Location Discovery: System Language Discovery
PID:5528
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5788 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵PID:6136
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵PID:5208
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵PID:4540
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:5276
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:6072
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:5824
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:5832
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5800
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5784
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5640
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
- System Location Discovery: System Language Discovery
PID:5516
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:5804
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:6176
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:6192
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:6208
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:6236
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:4752
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:6216
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6328
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵PID:6348
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:6356
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:6364
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:6408
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:6432
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:6440
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:6476
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:6500
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵PID:6336
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:6424 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵PID:6468
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:6532
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:6580 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵PID:6604
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵PID:6620
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
- System Location Discovery: System Language Discovery
PID:6640
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:6660
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:6680
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:6700
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:6720
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵PID:6772
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6788
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6804
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵PID:6812
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
- System Location Discovery: System Language Discovery
PID:6860
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:6888
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:6908
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:6932
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:6956
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:6780
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:6868
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:6900
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:6968
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵PID:7060
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
PID:7080
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- Runs ping.exe
PID:7096
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:7112
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:7128
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:7136
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:5528
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:6212
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:6236
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵PID:7072
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:6156
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6376
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
PID:6404
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
PID:6336
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:6476
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:6468
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:6596
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:6636
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:6656
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:6640
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵PID:6416
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:6556 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- System Location Discovery: System Language Discovery
PID:6648
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵PID:6684
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵PID:6824
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵PID:6840
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:6892 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
PID:6872 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵PID:6920
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵PID:6936
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵PID:6580
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:6248
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:7132
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:7140
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:6180
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5788
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵PID:6504
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵PID:6476
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
- System Location Discovery: System Language Discovery
PID:5212
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:6612
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:6640
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:6692
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:6648
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:6680
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:7052
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:6436
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:6800
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- System Location Discovery: System Language Discovery
PID:6780
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:6924
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:7116
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵PID:7156
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5528
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6468
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:6652
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:6668
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:6684
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:6816
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:6908
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:6944
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- System Location Discovery: System Language Discovery
PID:7136
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:6872
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵PID:6652
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
PID:6696
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵PID:6640
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:6708
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:6780
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:6708
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:7128
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:6976
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:6868
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵PID:6764
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5212 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:6424 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- System Location Discovery: System Language Discovery
PID:6536
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:7200
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:7228 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵PID:7248
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵PID:7280
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵PID:7312
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:7340
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:7392
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:7468
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:7584
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7680
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵PID:7696
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
PID:7704
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵PID:7712
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:7808
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:7820
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:7856
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:7884
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:7896
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:7688
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:7764
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:7832
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:7864
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7976
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
PID:7992
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- Runs ping.exe
PID:8008
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:8016
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:8076
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:8088
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:8104
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:8128
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:8136
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:7984 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- System Location Discovery: System Language Discovery
PID:8064
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:8144
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:6976 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:7208 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵PID:7240
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵PID:7272
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵PID:7256
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵PID:7320
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵PID:7348
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵PID:7340
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
PID:7408
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵PID:7528
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵PID:7560
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵PID:7548
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵PID:7580
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe10⤵PID:7620
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe10⤵PID:7672
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe10⤵PID:7692
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe10⤵PID:7712
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe10⤵PID:7800
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵PID:7512
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵PID:7808
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:7852
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:7904
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:7908
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:8040
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵PID:8136
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- Runs ping.exe
PID:6424
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8144
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵PID:6536
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:7244
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
- System Location Discovery: System Language Discovery
PID:7284
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:7316
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:7364
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:7292
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:8064
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:7324
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:7360
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:7468
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
PID:7712
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
PID:7216
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- Runs ping.exe
PID:7508
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:7808
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:7860
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
- System Location Discovery: System Language Discovery
PID:7668
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:8084
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:6644
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:7140
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:7800 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:8028 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵PID:7244
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:7308 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵PID:7400
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵PID:7628
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵PID:7860
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵PID:8092
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
- System Location Discovery: System Language Discovery
PID:7260
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~10⤵PID:7364
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
PID:7176
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7232
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
- Runs ping.exe
PID:7860
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121010⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7344
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe10⤵PID:8148
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe10⤵PID:6644
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe10⤵PID:7252
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe10⤵PID:7620
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe10⤵
- System Location Discovery: System Language Discovery
PID:7988
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe10⤵PID:8084
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵PID:7668
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:7260
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:8064
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:7916
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:8200
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
PID:8264
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵PID:8276
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8284
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵PID:8292
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:8340
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:8348
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:8372
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:8388
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:8408
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:8256 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵PID:8380
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵PID:8436
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵PID:8472
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:8512
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:8536
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:8556
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:8576
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8632
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵PID:8640
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
PID:8648
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵PID:8656
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:8696
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:8740
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:8760
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
- System Location Discovery: System Language Discovery
PID:8780
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:8804
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:8680
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:8732
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:8768
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:8820
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:8840
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8932
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8948
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:8960
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:8968
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:8992
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:9024
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:9044
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:9072
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:9100
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- System Location Discovery: System Language Discovery
PID:8940
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵PID:9032
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵PID:9088
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:9156
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8248
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵PID:8448
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
PID:8460
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:8492
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:8536
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:8592
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:8620
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:8780
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:8828
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵PID:8428
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
PID:8832
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Location Discovery: System Language Discovery
PID:9040
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9064
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9036
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵PID:9104
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:7800
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:9176
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵PID:8920
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵PID:8388
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵PID:8380
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
PID:9108
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵PID:8332
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Location Discovery: System Language Discovery
PID:8320
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵PID:8376
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵PID:8392
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵PID:8384
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵PID:8524
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵PID:8572
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵PID:8656
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵PID:8796
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵PID:7256
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~4⤵PID:7292
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
PID:7352
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- Runs ping.exe
PID:7436
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7444
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12104⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7452
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe4⤵PID:7460
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe4⤵PID:7496
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe4⤵PID:7508
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe4⤵PID:7544
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe4⤵PID:7576
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe4⤵PID:7596
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe3⤵PID:4856
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe3⤵PID:4976
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe3⤵PID:4108
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~3⤵PID:3120
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
PID:4652
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- Runs ping.exe
PID:4952
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵PID:5060
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12103⤵
- Runs ping.exe
PID:4892
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe3⤵PID:5116
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe3⤵PID:4232
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe3⤵PID:3876
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe3⤵PID:4856
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe3⤵PID:4232
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe3⤵PID:4564
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe2⤵PID:872
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe2⤵PID:5056
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe2⤵PID:4588
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe2⤵PID:3292
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~2⤵PID:4928
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen2⤵
- Suspicious use of FindShellTrayWindow
PID:4448
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13402⤵
- Runs ping.exe
PID:4904
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13402⤵PID:5012
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12102⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5108
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe2⤵PID:4552
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe2⤵PID:4576
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe2⤵PID:4564
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe2⤵PID:4556
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe2⤵PID:4404
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe2⤵PID:4376
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-817782789-1787954410-196210223212542720532056039322602636206454967727-1193726516"1⤵PID:2376
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1609073395458665137-1343833497-158342511912344847141543278166-188162868-1182182006"1⤵PID:832
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1111411510-532756026-1301700332-2147402011148627814-600069831-205787530504751564"1⤵PID:2816
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "86217327212956946701425085661-1615851396-1572826406257665549-13506811082120208123"1⤵PID:4020
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1206239989403776405-9827601111572802528623595471265634497-1377485076-777878260"1⤵PID:4048
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1202265437-1435683489161320370992048674-419683569-1939098526-1704817251-755050051"1⤵PID:3528
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-548650844-1684520885-1076743500-1002847231-1968563256-1865770308408446166-424946507"1⤵PID:3092
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1409671520-10318393651402300193-147175983138881045510506561031999150544-1167884946"1⤵PID:3304
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-8631752501835116205-604440922-1824691269672226242996562700-1054318276-1751803791"1⤵PID:4356
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4786813201479531047-250665030608515300-853913484-1112338056945894163-678948666"1⤵PID:4976
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3737556541775418470-605299046-12117575011138461681216344096-1186348529-1832436490"1⤵PID:4108
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1893201476-3962507787435477471876420815-969043498211285326-16563114931766591037"1⤵PID:4580
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1292876319251661409681041591688074077-297364029-2744704731455962915-820361988"1⤵PID:4612
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1043237654-360773346-349154554-436334801-908970564482720109955616088-1953183238"1⤵PID:4636
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-565657379-1153474989186038564585741657-768980705-1883868071-1591613781-2013284"1⤵PID:5352
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9848134822402241-19341741691732460097-824658752248155560-1525564904993512496"1⤵PID:5148
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1266165748-54184702930776708110371187731855310195-87663761513475794-6123904"1⤵PID:5744
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2136059915942140006-168552512428701733715569404901347637825-20795916341425346221"1⤵PID:5824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "21349096232815806641817415744-17911171161411907974262067740615078889-1362018875"1⤵PID:6500
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "900033450-1936536608-677224655818895277-243661349-285239597-512262831-2104870658"1⤵PID:6596
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4710616891615906290-1780709767-1322989804-1366787434-823043524-99481488941440439"1⤵PID:6212
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1237335241-1090148443207672580-1725725209-206933435917183311451869685528547168935"1⤵PID:6620
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-211563330-95207892417206760631255049295-1330766209-761920684-903464849-448636385"1⤵PID:6668
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1437350200202442094619690348339022527-797153546-907632503-777207122-1309904031"1⤵PID:6684
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1447939891933023992-209526503814751061051060130026-906450702560948258-1111418521"1⤵PID:7820
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1787179752129271092-2146425210589364996-1025077692-186346096420354894531208181124"1⤵PID:7896
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3381698841592884710229589408309927528-838992078-1083678543-1980732781550857140"1⤵PID:8092
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-135552523-244479234-13552618631011942419-1819502970-208451577-54914536-1367620421"1⤵PID:7320
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1173709330-1843101338185535-761738003-176657219-1232207656-7162000571196922415"1⤵PID:7364
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2047111298-742869756-483915123-1834914861541763286250470464581790310-319988345"1⤵PID:8348
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1892924201-1606349067-3025527503800567883110005031404101533-1550729044312400607"1⤵PID:8408
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-190288420648847995965389721876383451-1891054057182481120-1118858711-338212573"1⤵PID:8028
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2137078417-641063115-10760883131798098957-2131502463-684765576328224233122351558"1⤵PID:8436
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
52KB
MD5c69d2c5b778c20ce615cff6c859090ee
SHA1a2b023d971c13d9326ce51b3d329cdfc6338aec7
SHA2560960f732512daa623c57fc46c6b4380e23461c1cf18b2e0a014b7274142b6ddb
SHA51273dbcf8337e5e4542cc0aae5a52122840fd5c445baddb965f6a9baa38105286f8398ad0269df2f337a7865b81f8f4d763234b2aaac3b6721d418ad1697b407e9
-
Filesize
52KB
MD5d60ad808b8cf228430cc8190b693cada
SHA1a5738bf3e1cdf9ea416de83ac9a204c2b5026d34
SHA256d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f
SHA512ae8c0830c115130efabe19f5c404d301fe390cf36edcc46afaba9535eea8321dbf26ed8e488f21e48cf2e769e9bd2d6aa3a33d405f457803731fa7213d6a2704