Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:53
Static task
static1
Behavioral task
behavioral1
Sample
d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe
Resource
win10v2004-20241007-en
General
-
Target
d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe
-
Size
52KB
-
MD5
d60ad808b8cf228430cc8190b693cada
-
SHA1
a5738bf3e1cdf9ea416de83ac9a204c2b5026d34
-
SHA256
d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f
-
SHA512
ae8c0830c115130efabe19f5c404d301fe390cf36edcc46afaba9535eea8321dbf26ed8e488f21e48cf2e769e9bd2d6aa3a33d405f457803731fa7213d6a2704
-
SSDEEP
1536:HU6JhlQvW4R8ZDW2OsdCj7VhJ/YY5rInouy8rG:HRhlARSOsdwD/98outq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
Disables RegEdit via registry modification 21 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" lsass.exe -
Executes dropped EXE 64 IoCs
pid Process 4100 csrss.exe 412 csrss.exe 1924 smss.exe 3772 csrss.exe 3520 smss.exe 3020 lsass.exe 1648 csrss.exe 2948 smss.exe 4572 lsass.exe 4624 services.exe 2672 csrss.exe 4076 smss.exe 1204 lsass.exe 4256 services.exe 5052 winlogon.exe 4160 csrss.exe 1452 smss.exe 848 lsass.exe 4432 services.exe 932 winlogon.exe 3032 ~Paraysutki_VM_Community~ 1584 csrss.exe 2216 smss.exe 1380 lsass.exe 4720 services.exe 2100 winlogon.exe 232 ~Paraysutki_VM_Community~ 5024 ~Paraysutki_VM_Community~ 4116 winlogon.exe 3672 ~Paraysutki_VM_Community~ 5080 csrss.exe 2796 smss.exe 1100 lsass.exe 2404 services.exe 2544 csrss.exe 2228 smss.exe 3876 lsass.exe 4356 services.exe 688 winlogon.exe 628 csrss.exe 2148 smss.exe 1380 lsass.exe 3620 services.exe 3540 winlogon.exe 232 ~Paraysutki_VM_Community~ 4688 ~Paraysutki_VM_Community~ 3596 winlogon.exe 540 ~Paraysutki_VM_Community~ 5008 services.exe 1640 csrss.exe 1904 smss.exe 3492 lsass.exe 4688 services.exe 3352 winlogon.exe 2972 csrss.exe 1904 smss.exe 5108 lsass.exe 4624 csrss.exe 2972 smss.exe 704 lsass.exe 5168 services.exe 5208 winlogon.exe 5244 ~Paraysutki_VM_Community~ 5292 smss.exe -
Loads dropped DLL 64 IoCs
pid Process 4100 csrss.exe 412 csrss.exe 1924 smss.exe 3772 csrss.exe 3520 smss.exe 3020 lsass.exe 1648 csrss.exe 2948 smss.exe 4572 lsass.exe 4624 services.exe 2672 csrss.exe 4076 smss.exe 1204 lsass.exe 4256 services.exe 5052 winlogon.exe 4160 csrss.exe 1452 smss.exe 848 lsass.exe 4432 services.exe 932 winlogon.exe 3032 ~Paraysutki_VM_Community~ 1584 csrss.exe 2216 smss.exe 1380 lsass.exe 4720 services.exe 2100 winlogon.exe 232 ~Paraysutki_VM_Community~ 5024 ~Paraysutki_VM_Community~ 4116 winlogon.exe 3672 ~Paraysutki_VM_Community~ 5080 csrss.exe 2796 smss.exe 1100 lsass.exe 2404 services.exe 2544 csrss.exe 2228 smss.exe 3876 lsass.exe 4356 services.exe 688 winlogon.exe 628 csrss.exe 2148 smss.exe 1380 lsass.exe 3620 services.exe 3540 winlogon.exe 232 ~Paraysutki_VM_Community~ 4688 ~Paraysutki_VM_Community~ 3596 winlogon.exe 540 ~Paraysutki_VM_Community~ 5008 services.exe 1640 csrss.exe 1904 smss.exe 3492 lsass.exe 4688 services.exe 3352 winlogon.exe 2972 csrss.exe 1904 smss.exe 5108 lsass.exe 4624 csrss.exe 2972 smss.exe 704 lsass.exe 5168 services.exe 5208 winlogon.exe 5244 ~Paraysutki_VM_Community~ 5292 smss.exe -
Modifies system executable filetype association 2 TTPs 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~² csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~² d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~² winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~² ~Paraysutki_VM_Community~ File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll ~Paraysutki_VM_Community~ File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~² services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~ csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~² winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Paraysutki_VM_Community~ Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 63 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5460 ping.exe 3576 ping.exe 5504 ping.exe 6936 ping.exe 6044 ping.exe 5468 ping.exe 5848 ping.exe 5684 ping.exe 2484 ping.exe 3952 ping.exe 6944 ping.exe 7952 ping.exe 3076 ping.exe 1472 ping.exe 8128 ping.exe 6132 ping.exe 6928 ping.exe 6380 ping.exe 6680 ping.exe 3912 ping.exe 2816 ping.exe 6720 ping.exe 7524 ping.exe 6440 ping.exe 5328 ping.exe 5260 ping.exe 7928 ping.exe 8144 ping.exe 4392 ping.exe 5452 ping.exe 6952 ping.exe 7092 ping.exe 7540 ping.exe 1464 ping.exe 5840 ping.exe 4992 ping.exe 5424 ping.exe 5052 ping.exe 6052 ping.exe 1972 ping.exe 5828 ping.exe 6060 ping.exe 5204 ping.exe 5524 ping.exe 6432 ping.exe 3108 ping.exe 4024 ping.exe 6168 ping.exe 7004 ping.exe 4740 ping.exe 4116 ping.exe 2936 ping.exe 1672 ping.exe 4976 ping.exe 6396 ping.exe 7944 ping.exe 2952 ping.exe 1476 ping.exe 704 ping.exe 7548 ping.exe 8136 ping.exe 5556 ping.exe 6600 ping.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main services.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" smss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main services.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main services.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main lsass.exe -
Modifies registry class 42 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ~Paraysutki_VM_Community~ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe -
Runs ping.exe 1 TTPs 63 IoCs
pid Process 5328 ping.exe 7004 ping.exe 4392 ping.exe 6060 ping.exe 5204 ping.exe 6440 ping.exe 7548 ping.exe 8128 ping.exe 2936 ping.exe 4740 ping.exe 5260 ping.exe 6600 ping.exe 7540 ping.exe 2484 ping.exe 6132 ping.exe 5840 ping.exe 6396 ping.exe 3108 ping.exe 3576 ping.exe 5828 ping.exe 6380 ping.exe 2952 ping.exe 5052 ping.exe 5848 ping.exe 7092 ping.exe 4992 ping.exe 4976 ping.exe 5460 ping.exe 7952 ping.exe 1476 ping.exe 5424 ping.exe 4116 ping.exe 6052 ping.exe 5524 ping.exe 6432 ping.exe 6928 ping.exe 8136 ping.exe 3912 ping.exe 1472 ping.exe 6936 ping.exe 4024 ping.exe 2816 ping.exe 704 ping.exe 5504 ping.exe 6952 ping.exe 6680 ping.exe 1672 ping.exe 1972 ping.exe 3076 ping.exe 7928 ping.exe 5468 ping.exe 6720 ping.exe 7944 ping.exe 6044 ping.exe 6168 ping.exe 7524 ping.exe 1464 ping.exe 5452 ping.exe 6944 ping.exe 8144 ping.exe 3952 ping.exe 5684 ping.exe 5556 ping.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 2444 rundll32.exe 4700 rundll32.exe 2460 rundll32.exe 2604 rundll32.exe 5040 rundll32.exe 628 rundll32.exe 5648 rundll32.exe 5744 rundll32.exe 5884 rundll32.exe 6076 rundll32.exe 5996 rundll32.exe 5400 rundll32.exe 6232 rundll32.exe 6648 rundll32.exe 3564 rundll32.exe 5388 rundll32.exe 6388 rundll32.exe 7228 rundll32.exe 7788 rundll32.exe 7936 rundll32.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1208 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 4100 csrss.exe 412 csrss.exe 1924 smss.exe 3772 csrss.exe 3520 smss.exe 3020 lsass.exe 1648 csrss.exe 2948 smss.exe 4572 lsass.exe 4624 services.exe 2672 csrss.exe 4076 smss.exe 1204 lsass.exe 4256 services.exe 5052 winlogon.exe 4160 csrss.exe 1452 smss.exe 848 lsass.exe 4432 services.exe 932 winlogon.exe 3032 ~Paraysutki_VM_Community~ 1584 csrss.exe 2216 smss.exe 1380 lsass.exe 4720 services.exe 2100 winlogon.exe 232 ~Paraysutki_VM_Community~ 5024 ~Paraysutki_VM_Community~ 4116 winlogon.exe 3672 ~Paraysutki_VM_Community~ 5080 csrss.exe 2796 smss.exe 1100 lsass.exe 2404 services.exe 2544 csrss.exe 2228 smss.exe 3876 lsass.exe 4356 services.exe 688 winlogon.exe 4700 rundll32.exe 4700 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 628 csrss.exe 2148 smss.exe 1380 lsass.exe 3620 services.exe 3540 winlogon.exe 232 ~Paraysutki_VM_Community~ 4688 ~Paraysutki_VM_Community~ 3596 winlogon.exe 540 ~Paraysutki_VM_Community~ 5008 services.exe 1640 csrss.exe 1904 smss.exe 3492 lsass.exe 4688 services.exe 3352 winlogon.exe 2972 csrss.exe 1904 smss.exe 5108 lsass.exe 4624 csrss.exe 2972 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1208 wrote to memory of 4100 1208 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 83 PID 1208 wrote to memory of 4100 1208 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 83 PID 1208 wrote to memory of 4100 1208 d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe 83 PID 4100 wrote to memory of 412 4100 csrss.exe 85 PID 4100 wrote to memory of 412 4100 csrss.exe 85 PID 4100 wrote to memory of 412 4100 csrss.exe 85 PID 4100 wrote to memory of 1924 4100 csrss.exe 87 PID 4100 wrote to memory of 1924 4100 csrss.exe 87 PID 4100 wrote to memory of 1924 4100 csrss.exe 87 PID 1924 wrote to memory of 3772 1924 smss.exe 89 PID 1924 wrote to memory of 3772 1924 smss.exe 89 PID 1924 wrote to memory of 3772 1924 smss.exe 89 PID 1924 wrote to memory of 3520 1924 smss.exe 90 PID 1924 wrote to memory of 3520 1924 smss.exe 90 PID 1924 wrote to memory of 3520 1924 smss.exe 90 PID 1924 wrote to memory of 3020 1924 smss.exe 91 PID 1924 wrote to memory of 3020 1924 smss.exe 91 PID 1924 wrote to memory of 3020 1924 smss.exe 91 PID 3020 wrote to memory of 1648 3020 lsass.exe 92 PID 3020 wrote to memory of 1648 3020 lsass.exe 92 PID 3020 wrote to memory of 1648 3020 lsass.exe 92 PID 3020 wrote to memory of 2948 3020 lsass.exe 93 PID 3020 wrote to memory of 2948 3020 lsass.exe 93 PID 3020 wrote to memory of 2948 3020 lsass.exe 93 PID 3020 wrote to memory of 4572 3020 lsass.exe 94 PID 3020 wrote to memory of 4572 3020 lsass.exe 94 PID 3020 wrote to memory of 4572 3020 lsass.exe 94 PID 3020 wrote to memory of 4624 3020 lsass.exe 95 PID 3020 wrote to memory of 4624 3020 lsass.exe 95 PID 3020 wrote to memory of 4624 3020 lsass.exe 95 PID 4624 wrote to memory of 2672 4624 services.exe 96 PID 4624 wrote to memory of 2672 4624 services.exe 96 PID 4624 wrote to memory of 2672 4624 services.exe 96 PID 4624 wrote to memory of 4076 4624 services.exe 97 PID 4624 wrote to memory of 4076 4624 services.exe 97 PID 4624 wrote to memory of 4076 4624 services.exe 97 PID 4624 wrote to memory of 1204 4624 services.exe 98 PID 4624 wrote to memory of 1204 4624 services.exe 98 PID 4624 wrote to memory of 1204 4624 services.exe 98 PID 4624 wrote to memory of 4256 4624 services.exe 99 PID 4624 wrote to memory of 4256 4624 services.exe 99 PID 4624 wrote to memory of 4256 4624 services.exe 99 PID 4624 wrote to memory of 5052 4624 services.exe 187 PID 4624 wrote to memory of 5052 4624 services.exe 187 PID 4624 wrote to memory of 5052 4624 services.exe 187 PID 5052 wrote to memory of 4160 5052 winlogon.exe 101 PID 5052 wrote to memory of 4160 5052 winlogon.exe 101 PID 5052 wrote to memory of 4160 5052 winlogon.exe 101 PID 5052 wrote to memory of 1452 5052 winlogon.exe 102 PID 5052 wrote to memory of 1452 5052 winlogon.exe 102 PID 5052 wrote to memory of 1452 5052 winlogon.exe 102 PID 5052 wrote to memory of 848 5052 winlogon.exe 103 PID 5052 wrote to memory of 848 5052 winlogon.exe 103 PID 5052 wrote to memory of 848 5052 winlogon.exe 103 PID 5052 wrote to memory of 4432 5052 winlogon.exe 104 PID 5052 wrote to memory of 4432 5052 winlogon.exe 104 PID 5052 wrote to memory of 4432 5052 winlogon.exe 104 PID 5052 wrote to memory of 932 5052 winlogon.exe 224 PID 5052 wrote to memory of 932 5052 winlogon.exe 224 PID 5052 wrote to memory of 932 5052 winlogon.exe 224 PID 5052 wrote to memory of 3032 5052 winlogon.exe 178 PID 5052 wrote to memory of 3032 5052 winlogon.exe 178 PID 5052 wrote to memory of 3032 5052 winlogon.exe 178 PID 3032 wrote to memory of 1584 3032 ~Paraysutki_VM_Community~ 107 -
System policy modification 1 TTPs 42 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~ Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ~Paraysutki_VM_Community~ Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ~Paraysutki_VM_Community~
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe"C:\Users\Admin\AppData\Local\Temp\d5f0d487af46943e07a721bb4aa0ef14995632df6f96116ecd64915a0b98581f.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1208 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4100 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:412
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1924 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3772
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3520
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1648
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2948
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4572
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4624 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1204
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4256
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5052 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4160
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1452
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:848
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4432
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:932
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1584
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2216
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1380
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4720
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:232
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4392
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2952
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2936
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:4332
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:3992
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:3492
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵
- System Location Discovery: System Language Discovery
PID:724
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:4180
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵PID:2908
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1672
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3108
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3076
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:1604
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:548
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:656
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
- System Location Discovery: System Language Discovery
PID:4052
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:5008
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
- System Location Discovery: System Language Discovery
PID:5112
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5024
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4700
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4024
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4740
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4992
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵PID:1044
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:736
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:1264
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵PID:540
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵PID:4584
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵PID:3004
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4116
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3672 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5080
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2404 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2228
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3876
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4356
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:688 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:628
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1380
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3620
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3540
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:232
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:2460
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1476
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3912
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2816 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:4180
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵
- System Location Discovery: System Language Discovery
PID:3032
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:548
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:4052
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:1044
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:816
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:3188
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4688
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2604
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4116
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5052
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1472 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4584
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:1780
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
- System Location Discovery: System Language Discovery
PID:4496
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:4760
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:2228
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:3876
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3596
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:540
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
PID:5040
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1972
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3952
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:1380
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵PID:4720
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:4144
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:2164
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵PID:1980
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵PID:2912
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
- System Location Discovery: System Language Discovery
PID:4688
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
PID:628
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4976
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1464 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1044
-
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3576 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4496
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵PID:4464
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵PID:932
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵PID:2312
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵PID:4720
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵PID:1980
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵PID:5108
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5008 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1640
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1904
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3492
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4688
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3352 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1904
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5108 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4624
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5168
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5208
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5244 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵PID:5308
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:5368
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:5456
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:5516
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:5600
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:5640
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:5744
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6044
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6052
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6060
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:6068
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:5168
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:5432
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:744
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:5592
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:5724
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:6076
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5468
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5524
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5556
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:5616
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:5864
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:5756
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:2972
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:5328
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:3244
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- System Location Discovery: System Language Discovery
PID:5476
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- System Location Discovery: System Language Discovery
PID:5540
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵
- System Location Discovery: System Language Discovery
PID:5728
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:5996
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5452
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5504
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5684
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵PID:5740
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:5260
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:6104
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵
- System Location Discovery: System Language Discovery
PID:5152
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵
- System Location Discovery: System Language Discovery
PID:6096
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
- System Location Discovery: System Language Discovery
PID:5460
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5600 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5244 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵PID:5424
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- System Location Discovery: System Language Discovery
PID:5584
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5756 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵PID:3244
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:5736
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- System Location Discovery: System Language Discovery
PID:5952
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- System Location Discovery: System Language Discovery
PID:5580
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:5328 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵PID:5400
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵PID:1100
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵PID:5268
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:3564
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:5584
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:5424
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:5400
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5460 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:2312
-
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5424
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5260
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵PID:5512
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:6208
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:6256
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵PID:6292
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:6308
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:6336
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵PID:5520
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:6232
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6396
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6432
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6440
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:6484
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵
- System Location Discovery: System Language Discovery
PID:6616
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:6680
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:6720
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:6760
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:6796
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵PID:6388
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵PID:6460
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵PID:6520
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:6648
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6928
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6944
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6952
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:6960
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵PID:7036
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:7144
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
- System Location Discovery: System Language Discovery
PID:3564
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
- System Location Discovery: System Language Discovery
PID:6228
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
- System Location Discovery: System Language Discovery
PID:6280
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵PID:6936
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:7044 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵PID:7108
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵PID:6172
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵PID:6308
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵PID:6532
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:6488 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:6616 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵PID:6520
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
- System Location Discovery: System Language Discovery
PID:6760
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵PID:5152
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵PID:6964
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵PID:7032
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵PID:7036
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:3564
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6168 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:5520
-
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6380 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:5736
-
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5328
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵PID:5388
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵PID:6524
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵PID:6896
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
- System Location Discovery: System Language Discovery
PID:7004
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵PID:6768
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵PID:6408
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵PID:6304
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵PID:6532
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵PID:6800
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵PID:6940
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~8⤵
- System Location Discovery: System Language Discovery
PID:6936
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:6388
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6936
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6680
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12108⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6600
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe8⤵PID:6568
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe8⤵PID:7220
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe8⤵PID:7296
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe8⤵PID:7344
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe8⤵PID:7404
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe8⤵PID:7488
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- System Location Discovery: System Language Discovery
PID:6604
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:7228
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7524
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7540
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7548
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵PID:7556
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
- System Location Discovery: System Language Discovery
PID:7648
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵PID:7748
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵PID:7804
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵PID:7828
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵PID:7860
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵PID:7532
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵PID:7620
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~6⤵PID:7696
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
PID:7788
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7928
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7944
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12106⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7952
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe6⤵
- System Location Discovery: System Language Discovery
PID:7960
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe6⤵PID:8024
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe6⤵PID:8068
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe6⤵PID:8164
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe6⤵PID:7264
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe6⤵
- System Location Discovery: System Language Discovery
PID:7408
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:7936
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8128
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8136 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:6980
-
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8144 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:6504
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵PID:8156
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵PID:6188
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵
- System Location Discovery: System Language Discovery
PID:7236
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵PID:7428
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵PID:7492
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵PID:7536
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵PID:5908
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~4⤵PID:6980
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
PID:5388
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6720 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:6940
-
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7004 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2972
-
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12104⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7092
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe4⤵PID:7100
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe4⤵PID:6504
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe4⤵
- System Location Discovery: System Language Discovery
PID:6188
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe4⤵PID:7236
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe4⤵PID:7368
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe4⤵
- System Location Discovery: System Language Discovery
PID:7420
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe3⤵PID:5548
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe3⤵PID:5624
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe3⤵
- System Location Discovery: System Language Discovery
PID:5696
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~3⤵
- System Location Discovery: System Language Discovery
PID:5756
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:5884
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6132
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:704
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12103⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5204
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe3⤵PID:5216
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe3⤵PID:5300
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe3⤵PID:2836
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe3⤵PID:5452
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe3⤵PID:5588
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe3⤵PID:5624
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5292
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe2⤵PID:5352
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe2⤵
- System Location Discovery: System Language Discovery
PID:5404
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe2⤵PID:5448
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~2⤵PID:5508
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen2⤵
- Suspicious use of FindShellTrayWindow
PID:5648
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13402⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5828
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13402⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5840
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12102⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5848
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe2⤵PID:5876
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe2⤵PID:5940
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe2⤵
- System Location Discovery: System Language Discovery
PID:6020
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe2⤵
- System Location Discovery: System Language Discovery
PID:6120
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe2⤵PID:5220
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe2⤵PID:5356
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4624
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1640
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5756
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:7960
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
52KB
MD5bca1e4108793da060723af194a525786
SHA1a45481832a9053e1d61c590f81506b803beab53a
SHA25684b8ea1a3cfde13b328fa8a31a502e7539fb572fd879557538b5e85d2e9309dc
SHA5127f8785165b5b9cf70145f18016889b161440c84a24d61d84a97f22fa803b3f92b122604f91714c542182941b4b24fdbb0b104ee63a322f0a3582e78108e1fb1d