b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Worm/NadIote/Nadlote.exe
Size

240KB
MD5

57aecbcdcb3a5ad31ac07c5a62b56085
SHA1

a443c574f039828d237030bc18895027ca780337
SHA256

ab020413dce53c9d57cf22d75eaf1339d72252d5316617a935149e02fee42fd3
SHA512

7921f184411f898a78c7094176fa47368b1c6ba7d6a3f58df4332e6865325287f25622f1d13765fd08d499d34974461b2ee81319adc24ce3901cc72d132b3027
SSDEEP

6144:fFzclWnzp5DFV0FuS5hPGR/CnA1G+Ghgav/06hyTu:RcURxR/CnA0rhgaJy

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2732	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2592	CMD.exe
2592	CMD.exe

Adds Run key to start application 2 TTPs 41 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\smss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\smss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\smss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\smss = "smss\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\smss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\smss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "c:\\RECYCLER\\smss.exe "	reg.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\c:\autorun.INF	smss.exe
File opened for modification	\??\f:\autorun.INF	smss.exe
File opened for modification	\??\c:\RECYCLER:\autorun.INF	smss.exe
File opened for modification	\??\c:\RECYCLER\autorun.INF	smss.exe
File opened for modification	\??\d:\autorun.INF	smss.exe
File opened for modification	\??\e:\autorun.INF	smss.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	\??\c:\Program Files\Messenger\msmsgs.exe	smss.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\smss.exe	Nadlote.exe
File opened for modification	C:\Windows\smss.exe	Nadlote.exe
File opened for modification	C:\Windows\smss.exe	smss.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadlote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1076	PING.EXE
2548	cmd.exe
1796	PING.EXE
1980	cmd.exe
868	cmd.exe
1968	PING.EXE
1572	cmd.exe
2200	cmd.exe
720	PING.EXE
2784	PING.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2784	ipconfig.exe

Modifies registry key 1 TTPs 41 IoCs

Modify Registry

T1112

pid	Process
1796	reg.exe
1588	reg.exe
664	reg.exe
1528	reg.exe
2112	reg.exe
2096	reg.exe
1492	reg.exe
1672	reg.exe
1744	reg.exe
588	reg.exe
2804	reg.exe
1812	reg.exe
852	reg.exe
1032	reg.exe
1776	reg.exe
2680	reg.exe
408	reg.exe
3004	reg.exe
684	reg.exe
1828	reg.exe
2136	reg.exe
2208	reg.exe
2684	reg.exe
1368	reg.exe
812	reg.exe
2624	reg.exe
2500	reg.exe
1720	reg.exe
2236	reg.exe
2648	reg.exe
1028	reg.exe
1736	reg.exe
3056	reg.exe
2668	reg.exe
552	reg.exe
2036	reg.exe
1088	reg.exe
1664	reg.exe
584	reg.exe
968	reg.exe
2296	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\RECYCLER:\autorun.INF	smss.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1796	PING.EXE
1968	PING.EXE
1076	PING.EXE
720	PING.EXE
2784	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2284	Nadlote.exe
2732	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2388	2284	Nadlote.exe	28
PID 2284 wrote to memory of 2388	2284	Nadlote.exe	28
PID 2284 wrote to memory of 2388	2284	Nadlote.exe	28
PID 2284 wrote to memory of 2388	2284	Nadlote.exe	28
PID 2284 wrote to memory of 2592	2284	Nadlote.exe	29
PID 2284 wrote to memory of 2592	2284	Nadlote.exe	29
PID 2284 wrote to memory of 2592	2284	Nadlote.exe	29
PID 2284 wrote to memory of 2592	2284	Nadlote.exe	29
PID 2388 wrote to memory of 2648	2388	cmd.exe	32
PID 2388 wrote to memory of 2648	2388	cmd.exe	32
PID 2388 wrote to memory of 2648	2388	cmd.exe	32
PID 2388 wrote to memory of 2648	2388	cmd.exe	32
PID 2592 wrote to memory of 2732	2592	CMD.exe	33
PID 2592 wrote to memory of 2732	2592	CMD.exe	33
PID 2592 wrote to memory of 2732	2592	CMD.exe	33
PID 2592 wrote to memory of 2732	2592	CMD.exe	33
PID 2732 wrote to memory of 3068	2732	smss.exe	34
PID 2732 wrote to memory of 3068	2732	smss.exe	34
PID 2732 wrote to memory of 3068	2732	smss.exe	34
PID 2732 wrote to memory of 3068	2732	smss.exe	34
PID 3068 wrote to memory of 2112	3068	cmd.exe	36
PID 3068 wrote to memory of 2112	3068	cmd.exe	36
PID 3068 wrote to memory of 2112	3068	cmd.exe	36
PID 3068 wrote to memory of 2112	3068	cmd.exe	36
PID 2732 wrote to memory of 2548	2732	smss.exe	37
PID 2732 wrote to memory of 2548	2732	smss.exe	37
PID 2732 wrote to memory of 2548	2732	smss.exe	37
PID 2732 wrote to memory of 2548	2732	smss.exe	37
PID 2732 wrote to memory of 2612	2732	smss.exe	38
PID 2732 wrote to memory of 2612	2732	smss.exe	38
PID 2732 wrote to memory of 2612	2732	smss.exe	38
PID 2732 wrote to memory of 2612	2732	smss.exe	38
PID 2732 wrote to memory of 2496	2732	smss.exe	40
PID 2732 wrote to memory of 2496	2732	smss.exe	40
PID 2732 wrote to memory of 2496	2732	smss.exe	40
PID 2732 wrote to memory of 2496	2732	smss.exe	40
PID 2612 wrote to memory of 1664	2612	cmd.exe	43
PID 2612 wrote to memory of 1664	2612	cmd.exe	43
PID 2612 wrote to memory of 1664	2612	cmd.exe	43
PID 2612 wrote to memory of 1664	2612	cmd.exe	43
PID 2548 wrote to memory of 3004	2548	cmd.exe	44
PID 2548 wrote to memory of 3004	2548	cmd.exe	44
PID 2548 wrote to memory of 3004	2548	cmd.exe	44
PID 2548 wrote to memory of 3004	2548	cmd.exe	44
PID 2496 wrote to memory of 2784	2496	cmd.exe	45
PID 2496 wrote to memory of 2784	2496	cmd.exe	45
PID 2496 wrote to memory of 2784	2496	cmd.exe	45
PID 2496 wrote to memory of 2784	2496	cmd.exe	45
PID 2284 wrote to memory of 2980	2284	Nadlote.exe	46
PID 2284 wrote to memory of 2980	2284	Nadlote.exe	46
PID 2284 wrote to memory of 2980	2284	Nadlote.exe	46
PID 2284 wrote to memory of 2980	2284	Nadlote.exe	46
PID 2980 wrote to memory of 588	2980	cmd.exe	48
PID 2980 wrote to memory of 588	2980	cmd.exe	48
PID 2980 wrote to memory of 588	2980	cmd.exe	48
PID 2980 wrote to memory of 588	2980	cmd.exe	48
PID 2732 wrote to memory of 604	2732	smss.exe	49
PID 2732 wrote to memory of 604	2732	smss.exe	49
PID 2732 wrote to memory of 604	2732	smss.exe	49
PID 2732 wrote to memory of 604	2732	smss.exe	49
PID 604 wrote to memory of 584	604	cmd.exe	51
PID 604 wrote to memory of 584	604	cmd.exe	51
PID 604 wrote to memory of 584	604	cmd.exe	51
PID 604 wrote to memory of 584	604	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\NadIote\Nadlote.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\NadIote\Nadlote.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2648
- C:\Windows\SysWOW64\CMD.exe
  CMD /C "c:\RECYCLER\smss.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - \??\c:\RECYCLER\smss.exe
    c:\RECYCLER\smss.exe
    3⤵
    - Executes dropped EXE
    - Drops autorun.inf file
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig > c:\RECYCLER\IP.dlx
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net share Love2="c:\Documents and Settings" /unlimited | net share Love1=C:\Windows /unlimited | net share Love3=d:\ /unlimited
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\net.exe
        
        net share Love2="c:\Documents and Settings" /unlimited
        5⤵
        
        PID:552
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share Love2="c:\Documents and Settings" /unlimited
        6⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\net.exe
        
        net share Love1=C:\Windows /unlimited
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share Love1=C:\Windows /unlimited
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
    - - C:\Windows\SysWOW64\net.exe
        
        net share Love3=d:\ /unlimited
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share Love3=d:\ /unlimited
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "smss\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1484
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "smss\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1400
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping ernet adapter L0 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1572
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping ernet adapter L0 -n 2 -w 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:2068
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2428
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1088
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1444
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping ernet adapter L1 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2200
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping ernet adapter L1 -n 2 -w 3
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2464
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:2772
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2928
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2388
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping ernet adapter L2 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2548
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping ernet adapter L2 -n 2 -w 3
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1500
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2804
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:1808
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1536
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping ernet adapter L3 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1980
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping ernet adapter L3 -n 2 -w 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2068
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1700
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1244
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:2072
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:2260
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping ernet adapter L4 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:868
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping ernet adapter L4 -n 2 -w 3
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1336
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:704
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:280
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:676
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\Downloads.exe

Filesize
240KB

MD5
57aecbcdcb3a5ad31ac07c5a62b56085

SHA1
a443c574f039828d237030bc18895027ca780337

SHA256
ab020413dce53c9d57cf22d75eaf1339d72252d5316617a935149e02fee42fd3

SHA512
7921f184411f898a78c7094176fa47368b1c6ba7d6a3f58df4332e6865325287f25622f1d13765fd08d499d34974461b2ee81319adc24ce3901cc72d132b3027

Download Submit
C:\RECYCLER\autorun.INF

Filesize
379B

MD5
cba289891ec7b2f21bda3435f229537b

SHA1
791eb6ade5b072480020f649151d3309d7ef8714

SHA256
34e37c589c9cdfea750288f65d019afee10644722cc520f1e95febc5758fd4f0

SHA512
626b0ccb36d6dbe9c0fd18b3c7a3f0636fc840a7f02b81c7c1883a638044202d979d330efefbe8d891d7ec043c64ddd536beb25994dfbdc66244822a6cc6736f

Download Submit
\??\c:\RECYCLER\IP.dlx

Filesize
508B

MD5
2e67faac2150767fd954d0dc545501a9

SHA1
9137791ddd1c4368d80fd00416ebab8c1f6994bf

SHA256
f0ba860277c9cd7a3a651cea474e50b391bdfbde55c4a96968d4bb73425dde39

SHA512
6d6bc600c7320e4ba34c5cbb3b2bd044b66e7338df8116973ba42968ca66139a986b2cdb69a75e38f23208d9972202ed174e30049276bc5343e939c53572c6db

Download Submit
\??\c:\RECYCLER\check_4_online.dlx

Filesize
78B

MD5
1aee8eddef535a3c072b7f520eaf5560

SHA1
adef396d2bf5e47ef40a8ebfd53ebba7476b108f

SHA256
18e39b4a5a91f2cf56367c2d7b53830881d5d885bcccc234219c39fd0af44353

SHA512
907237c3fcfbf310f423b3a44cc6dcb1ee1cff6ce2d996b36df1b04eb6d74a5b1ceae9b3f19367e831fc9a4ee908c583e1cf212a5f3e3539d4c1f1243ba1d787

Download Submit
memory/2284-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2284-96-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2592-18-0x0000000000230000-0x0000000000275000-memory.dmp

Filesize
276KB

Download
memory/2592-100-0x0000000000230000-0x0000000000275000-memory.dmp

Filesize
276KB

Download
memory/2732-104-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads