Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
23-11-2022 10:41
General
-
Target
90df6ccc83854e8870c21931b748a00e00a45aa8208b36ac616a3b4bc5329412.exe
-
Size
205KB
-
MD5
da35d0a8aa40579aead887722bccacb1
-
SHA1
7564332ecd857b2604121769e81cc04a808d03bf
-
SHA256
90df6ccc83854e8870c21931b748a00e00a45aa8208b36ac616a3b4bc5329412
-
SHA512
157ddd73069b4c6157fede9ba253e9c580c323c1edb9cf931c68e9104685d6ac24942485b0106c27fa9674d83235dafc8777d94cdc3a12502e67933da97129c6
-
SSDEEP
3072:fqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:fqhMPssRARoiSoS3SsQLH5AK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
-
Modifies system executable filetype association 2 TTPs 18 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 18 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 18 IoCs
-
UAC bypass 3 TTPs 16 IoCs
-
Disables RegEdit via registry modification 16 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Checks whether UAC is enabled 1 TTPs 16 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 28 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 48 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 16 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\90df6ccc83854e8870c21931b748a00e00a45aa8208b36ac616a3b4bc5329412.exe"C:\Users\Admin\AppData\Local\Temp\90df6ccc83854e8870c21931b748a00e00a45aa8208b36ac616a3b4bc5329412.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\90df6ccc83854e8870c21931b748a00e00a45aa8208b36ac616a3b4bc5329412.exeC:\Users\Admin\AppData\Local\Temp\90df6ccc83854e8870c21931b748a00e00a45aa8208b36ac616a3b4bc5329412.exe2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\ncsv.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\ncsv.exe" csrss6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe11⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe12⤵
- Loads dropped DLL
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe14⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe16⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe17⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~17⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe17⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121017⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe15⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe14⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe16⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe17⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe18⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe19⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe20⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe19⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe20⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe19⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe20⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe19⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe20⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe19⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe20⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe21⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe22⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe21⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe22⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe21⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe22⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe21⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe22⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe21⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe22⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~21⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen21⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe21⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121021⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134021⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134021⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe21⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe21⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe21⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe21⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe21⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~19⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen19⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe19⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121019⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134019⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134019⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe19⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe19⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe19⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe19⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe19⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe17⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe17⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121017⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe16⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe18⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe18⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe17⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121017⤵
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵
- Drops file in System32 directory
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe17⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe17⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe15⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe15⤵
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe13⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe14⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe15⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe15⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~13⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe13⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe13⤵
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe11⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12103⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Change Default File Association
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
9Hidden Files and Directories
2Bypass User Account Control
1Disabling Security Tools
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\90df6ccc83854e8870c21931b748a00e00a45aa8208b36ac616a3b4bc5329412.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Users\Admin\AppData\Local\Temp\90df6ccc83854e8870c21931b748a00e00a45aa8208b36ac616a3b4bc5329412.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\ncsv.exeFilesize
76KB
MD5f292a05fa18633d1c4c54b354f18ecf0
SHA1b41df31bd33cd1e38152d90daf8973a5b2f9c6ab
SHA256015b1128064d299b72594d5b78d8e6c3a70e85c1145b255c193a9f0c0c8174e9
SHA51212a9239ce54aa723089d6ef30888c5d3ae802f79b49bb2896f410851185a3c1846b9a1e3865b43fc872c6cba30a7a77f187b69a377e1e698a388c3957b7af113
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLLFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeFilesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~Filesize
205KB
MD5c85038ff3222bc3f85f111503cb5c7a5
SHA1270d171aea8c5ceadbf2cde8a8bd8bd8bcba3c4f
SHA2564435a3545593ae93f070b450487f175f8765ec39e9dac573ea6c3be76603fb76
SHA512ec78b207feb1916299df0047c493d456393d9c517d20914ec5c583cf709fb27ec6a2f80e88c25bce5b3ddfb8de27abe48f71987d576ade7fd76431105cd12ceb
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\ncsv.exeFilesize
76KB
MD5f292a05fa18633d1c4c54b354f18ecf0
SHA1b41df31bd33cd1e38152d90daf8973a5b2f9c6ab
SHA256015b1128064d299b72594d5b78d8e6c3a70e85c1145b255c193a9f0c0c8174e9
SHA51212a9239ce54aa723089d6ef30888c5d3ae802f79b49bb2896f410851185a3c1846b9a1e3865b43fc872c6cba30a7a77f187b69a377e1e698a388c3957b7af113
-
\??\c:\windows\SysWOW64\Windows 3D.scrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
memory/116-375-0x0000000000000000-mapping.dmp
-
memory/116-378-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/392-508-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/392-469-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/556-431-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/640-347-0x0000000000000000-mapping.dmp
-
memory/752-401-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/764-165-0x0000000000000000-mapping.dmp
-
memory/764-170-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/848-292-0x0000000000000000-mapping.dmp
-
memory/848-295-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/868-418-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/868-271-0x0000000000000000-mapping.dmp
-
memory/868-274-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/868-503-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1048-148-0x0000000000000000-mapping.dmp
-
memory/1048-177-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1048-447-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1180-134-0x0000000000000000-mapping.dmp
-
memory/1180-404-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1180-146-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1256-546-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1256-415-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1264-394-0x0000000000000000-mapping.dmp
-
memory/1308-198-0x0000000000000000-mapping.dmp
-
memory/1308-203-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1372-371-0x0000000000000000-mapping.dmp
-
memory/1392-204-0x0000000000000000-mapping.dmp
-
memory/1456-216-0x0000000000000000-mapping.dmp
-
memory/1476-362-0x0000000000000000-mapping.dmp
-
memory/1484-171-0x0000000000000000-mapping.dmp
-
memory/1532-537-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1532-454-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1648-285-0x0000000000000000-mapping.dmp
-
memory/1648-288-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1796-514-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1796-553-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1796-246-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1796-222-0x0000000000000000-mapping.dmp
-
memory/1804-281-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1804-278-0x0000000000000000-mapping.dmp
-
memory/2128-306-0x0000000000000000-mapping.dmp
-
memory/2128-403-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2128-311-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2140-210-0x0000000000000000-mapping.dmp
-
memory/2140-215-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2148-265-0x0000000000000000-mapping.dmp
-
memory/2204-392-0x0000000000000000-mapping.dmp
-
memory/2232-259-0x0000000000000000-mapping.dmp
-
memory/2232-264-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2300-432-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2324-372-0x0000000000000000-mapping.dmp
-
memory/2392-479-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2504-370-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2504-367-0x0000000000000000-mapping.dmp
-
memory/2516-253-0x0000000000000000-mapping.dmp
-
memory/2612-191-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2612-396-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2612-185-0x0000000000000000-mapping.dmp
-
memory/2612-449-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2720-159-0x0000000000000000-mapping.dmp
-
memory/2796-391-0x0000000000000000-mapping.dmp
-
memory/3056-316-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3056-313-0x0000000000000000-mapping.dmp
-
memory/3116-179-0x0000000000000000-mapping.dmp
-
memory/3304-192-0x0000000000000000-mapping.dmp
-
memory/3364-385-0x0000000000000000-mapping.dmp
-
memory/3424-489-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3436-234-0x0000000000000000-mapping.dmp
-
memory/3436-239-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3472-384-0x0000000000000000-mapping.dmp
-
memory/3624-463-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3624-484-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3636-351-0x0000000000000000-mapping.dmp
-
memory/3636-509-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3636-359-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3636-357-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3656-379-0x0000000000000000-mapping.dmp
-
memory/3680-417-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3696-464-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3764-324-0x0000000000000000-mapping.dmp
-
memory/3812-494-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3840-355-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3840-352-0x0000000000000000-mapping.dmp
-
memory/3840-360-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3848-331-0x0000000000000000-mapping.dmp
-
memory/3884-386-0x0000000000000000-mapping.dmp
-
memory/3908-383-0x0000000000000000-mapping.dmp
-
memory/3996-345-0x0000000000000000-mapping.dmp
-
memory/4068-309-0x0000000000000000-mapping.dmp
-
memory/4092-139-0x0000000000000000-mapping.dmp
-
memory/4192-416-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4224-361-0x0000000000000000-mapping.dmp
-
memory/4456-390-0x0000000000000000-mapping.dmp
-
memory/4456-247-0x0000000000000000-mapping.dmp
-
memory/4456-252-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4492-228-0x0000000000000000-mapping.dmp
-
memory/4496-240-0x0000000000000000-mapping.dmp
-
memory/4552-282-0x0000000000000000-mapping.dmp
-
memory/4568-442-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4616-332-0x0000000000000000-mapping.dmp
-
memory/4700-303-0x0000000000000000-mapping.dmp
-
memory/4700-474-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4716-337-0x0000000000000000-mapping.dmp
-
memory/4716-344-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4764-393-0x0000000000000000-mapping.dmp
-
memory/4780-275-0x0000000000000000-mapping.dmp
-
memory/4784-323-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4784-320-0x0000000000000000-mapping.dmp
-
memory/4808-330-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4808-327-0x0000000000000000-mapping.dmp
-
memory/4852-289-0x0000000000000000-mapping.dmp
-
memory/4940-296-0x0000000000000000-mapping.dmp
-
memory/4944-388-0x0000000000000000-mapping.dmp
-
memory/4984-448-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5028-343-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5028-338-0x0000000000000000-mapping.dmp
-
memory/5040-382-0x0000000000000000-mapping.dmp
-
memory/5052-433-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5088-317-0x0000000000000000-mapping.dmp
-
memory/5108-299-0x0000000000000000-mapping.dmp
-
memory/5108-302-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5304-515-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5664-525-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5868-531-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5940-539-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5940-541-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5980-543-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB