737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65

Analysis

max time kernel
5s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe
Size

124KB
MD5

bcefedccbe69abf705c40dbbc596a702
SHA1

438591b71b3bda92490a849a9efe37be6fae4079
SHA256

737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65
SHA512

c42db07376dd32455778a4716c9c1519d52872527d9db36a9cc5cebc2bcdb98313a5ce5656d61b7e895e9d670c96e0b45c82a2188f3bb4e2934278b60a2cac51
SSDEEP

1536:MjmMW0owZMnS1wjkHWrHUdPSGAq1O5LWnouy8m:MFW0VqSmI2jUKmOtmout

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe

Modifies visibility of file extensions in Explorer 2 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe

UAC bypass 3 TTPs 7 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3188-0-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/files/0x0007000000023427-7.dat	UPX
behavioral2/memory/4036-55-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2996-68-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2996-72-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/1472-78-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/1472-82-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/244-86-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4500-98-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3188-108-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4036-113-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/1744-106-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5112-164-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3148-168-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2648-184-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3304-192-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3304-197-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4668-207-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2756-202-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4400-209-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3348-213-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3508-232-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5012-252-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5104-256-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3508-258-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2140-262-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4388-264-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5012-249-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4388-248-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5112-267-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/1920-247-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4940-244-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4508-237-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5048-236-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3844-272-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2356-227-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3348-191-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3916-177-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/1592-161-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4864-147-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2024-141-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2128-134-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4380-128-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/1088-125-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3204-117-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/952-101-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5044-281-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2900-282-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2900-286-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4180-293-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4180-296-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/864-300-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/3304-301-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4004-309-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4660-313-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5044-314-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/748-318-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4292-322-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/4388-326-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/2952-328-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5116-331-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5116-334-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/5116-354-0x0000000000400000-0x0000000000426000-memory.dmp	UPX
behavioral2/memory/1544-361-0x0000000000400000-0x0000000000426000-memory.dmp	UPX

Disables RegEdit via registry modification 7 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rundll32.exe"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rundll32.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	Paraysutki_VM_Community

Executes dropped EXE 60 IoCs

pid	Process
4036	csrss.exe
2996	csrss.exe
1088	smss.exe
1472	csrss.exe
244	smss.exe
2024	lsass.exe
4500	csrss.exe
952	smss.exe
1744	lsass.exe
5112	services.exe
3204	csrss.exe
4280	smss.exe
4380	lsass.exe
2128	services.exe
3348	winlogon.exe
4864	csrss.exe
4480	smss.exe
4884	lsass.exe
1592	services.exe
3148	winlogon.exe
4400	Paraysutki_VM_Community
3916	csrss.exe
2648	smss.exe
3944	lsass.exe
3304	services.exe
2756	winlogon.exe
4668	Paraysutki_VM_Community
4388	Paraysutki_VM_Community
5068	csrss.exe
540	smss.exe
2316	lsass.exe
2356	services.exe
3508	winlogon.exe
5048	csrss.exe
4508	smss.exe
4940	lsass.exe
1920	services.exe
5012	winlogon.exe
5104	Paraysutki_VM_Community
2140	Paraysutki_VM_Community
3304	winlogon.exe
3844	csrss.exe
2304	smss.exe
4260	lsass.exe
5044	services.exe
2900	csrss.exe
2356	smss.exe
2768	lsass.exe
4180	services.exe
864	winlogon.exe
2952	Paraysutki_VM_Community
3096	csrss.exe
4004	smss.exe
4660	lsass.exe
748	services.exe
4292	winlogon.exe
4388	Paraysutki_VM_Community
5116	winlogon.exe
4440	Paraysutki_VM_Community
3932	csrss.exe

Loads dropped DLL 60 IoCs

pid	Process
4036	csrss.exe
2996	csrss.exe
1088	smss.exe
1472	csrss.exe
244	smss.exe
2024	lsass.exe
4500	csrss.exe
952	smss.exe
1744	lsass.exe
5112	services.exe
3204	csrss.exe
4280	smss.exe
4380	lsass.exe
2128	services.exe
3348	winlogon.exe
4864	csrss.exe
4480	smss.exe
4884	lsass.exe
1592	services.exe
3148	winlogon.exe
4400	Paraysutki_VM_Community
3916	csrss.exe
2648	smss.exe
3944	lsass.exe
3304	services.exe
2756	winlogon.exe
4668	Paraysutki_VM_Community
4388	Paraysutki_VM_Community
5068	csrss.exe
540	smss.exe
2316	lsass.exe
2356	services.exe
3508	winlogon.exe
5048	csrss.exe
4508	smss.exe
4940	lsass.exe
1920	services.exe
5012	winlogon.exe
5104	Paraysutki_VM_Community
2140	Paraysutki_VM_Community
3304	winlogon.exe
3844	csrss.exe
2304	smss.exe
4260	lsass.exe
5044	services.exe
2900	csrss.exe
2356	smss.exe
2768	lsass.exe
4180	services.exe
864	winlogon.exe
2952	Paraysutki_VM_Community
3096	csrss.exe
4004	smss.exe
4660	lsass.exe
748	services.exe
4292	winlogon.exe
4388	Paraysutki_VM_Community
5116	winlogon.exe
4440	Paraysutki_VM_Community
3932	csrss.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community

Adds Run key to start application 2 TTPs 35 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	Paraysutki_VM_Community
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	Paraysutki_VM_Community
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main	Paraysutki_VM_Community
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	Paraysutki_VM_Community
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main	Paraysutki_VM_Community
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main	Paraysutki_VM_Community
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	Paraysutki_VM_Community
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
15672	ping.exe
6728	ping.exe
7600	ping.exe
4372	ping.exe
13508	ping.exe
14436	ping.exe
13620	ping.exe
4232	ping.exe
9884	ping.exe
464	ping.exe
4832	ping.exe
6440	ping.exe
6688	ping.exe
7832	ping.exe
5080	ping.exe
4488	ping.exe
9112	ping.exe
9172	ping.exe
12452	ping.exe
16124	ping.exe
10116	ping.exe
9332	ping.exe
12468	ping.exe
11724	ping.exe
12580	ping.exe
14196	ping.exe
14380	ping.exe
6408	ping.exe
6996	ping.exe
7592	ping.exe
7540	ping.exe
7740	ping.exe
15308	ping.exe
12876	ping.exe
15016	ping.exe
6720	ping.exe
9760	ping.exe
11536	ping.exe
12940	ping.exe
12304	ping.exe
14316	ping.exe
8416	ping.exe
9436	ping.exe
3856	ping.exe
6672	ping.exe
5360	ping.exe
7652	ping.exe
16064	ping.exe
3432	ping.exe
7864	ping.exe
8076	ping.exe
8624	ping.exe
9556	ping.exe
1768	ping.exe
6536	ping.exe
10404	ping.exe
11164	ping.exe
14176	ping.exe
9692	ping.exe
11332	ping.exe
13228	ping.exe
15496	ping.exe
6204	ping.exe
12840	ping.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1916	rundll32.exe
4024	rundll32.exe
3872	rundll32.exe
3516	rundll32.exe
3296	rundll32.exe
4544	rundll32.exe

Suspicious use of SetWindowsHookEx 60 IoCs

pid	Process
3188	737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe
4036	csrss.exe
2996	csrss.exe
1088	smss.exe
1472	csrss.exe
244	smss.exe
2024	lsass.exe
4500	csrss.exe
952	smss.exe
1744	lsass.exe
5112	services.exe
3204	csrss.exe
4280	smss.exe
4380	lsass.exe
2128	services.exe
3348	winlogon.exe
4864	csrss.exe
4480	smss.exe
4884	lsass.exe
1592	services.exe
3148	winlogon.exe
4400	Paraysutki_VM_Community
3916	csrss.exe
2648	smss.exe
3944	lsass.exe
3304	services.exe
2756	winlogon.exe
4668	Paraysutki_VM_Community
4388	Paraysutki_VM_Community
5068	csrss.exe
540	smss.exe
2316	lsass.exe
2356	services.exe
3508	winlogon.exe
5048	csrss.exe
4508	smss.exe
4940	lsass.exe
1920	services.exe
5012	winlogon.exe
5104	Paraysutki_VM_Community
2140	Paraysutki_VM_Community
3304	winlogon.exe
3844	csrss.exe
2304	smss.exe
4260	lsass.exe
5044	services.exe
2900	csrss.exe
2356	smss.exe
2768	lsass.exe
4180	services.exe
864	winlogon.exe
2952	Paraysutki_VM_Community
3096	csrss.exe
4004	smss.exe
4660	lsass.exe
748	services.exe
4292	winlogon.exe
4388	Paraysutki_VM_Community
5116	winlogon.exe
4440	Paraysutki_VM_Community

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 4036	3188	737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe	82
PID 3188 wrote to memory of 4036	3188	737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe	82
PID 3188 wrote to memory of 4036	3188	737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe	82
PID 4036 wrote to memory of 2996	4036	csrss.exe	84
PID 4036 wrote to memory of 2996	4036	csrss.exe	84
PID 4036 wrote to memory of 2996	4036	csrss.exe	84
PID 4036 wrote to memory of 1088	4036	csrss.exe	85
PID 4036 wrote to memory of 1088	4036	csrss.exe	85
PID 4036 wrote to memory of 1088	4036	csrss.exe	85
PID 1088 wrote to memory of 1472	1088	smss.exe	86
PID 1088 wrote to memory of 1472	1088	smss.exe	86
PID 1088 wrote to memory of 1472	1088	smss.exe	86
PID 1088 wrote to memory of 244	1088	smss.exe	87
PID 1088 wrote to memory of 244	1088	smss.exe	87
PID 1088 wrote to memory of 244	1088	smss.exe	87
PID 1088 wrote to memory of 2024	1088	smss.exe	88
PID 1088 wrote to memory of 2024	1088	smss.exe	88
PID 1088 wrote to memory of 2024	1088	smss.exe	88
PID 2024 wrote to memory of 4500	2024	lsass.exe	90
PID 2024 wrote to memory of 4500	2024	lsass.exe	90
PID 2024 wrote to memory of 4500	2024	lsass.exe	90
PID 2024 wrote to memory of 952	2024	lsass.exe	91
PID 2024 wrote to memory of 952	2024	lsass.exe	91
PID 2024 wrote to memory of 952	2024	lsass.exe	91
PID 2024 wrote to memory of 1744	2024	lsass.exe	92
PID 2024 wrote to memory of 1744	2024	lsass.exe	92
PID 2024 wrote to memory of 1744	2024	lsass.exe	92
PID 2024 wrote to memory of 5112	2024	lsass.exe	93
PID 2024 wrote to memory of 5112	2024	lsass.exe	93
PID 2024 wrote to memory of 5112	2024	lsass.exe	93
PID 5112 wrote to memory of 3204	5112	services.exe	94
PID 5112 wrote to memory of 3204	5112	services.exe	94
PID 5112 wrote to memory of 3204	5112	services.exe	94
PID 5112 wrote to memory of 4280	5112	services.exe	95
PID 5112 wrote to memory of 4280	5112	services.exe	95
PID 5112 wrote to memory of 4280	5112	services.exe	95
PID 5112 wrote to memory of 4380	5112	services.exe	96
PID 5112 wrote to memory of 4380	5112	services.exe	96
PID 5112 wrote to memory of 4380	5112	services.exe	96
PID 5112 wrote to memory of 2128	5112	services.exe	97
PID 5112 wrote to memory of 2128	5112	services.exe	97
PID 5112 wrote to memory of 2128	5112	services.exe	97
PID 5112 wrote to memory of 3348	5112	services.exe	184
PID 5112 wrote to memory of 3348	5112	services.exe	184
PID 5112 wrote to memory of 3348	5112	services.exe	184
PID 3348 wrote to memory of 4864	3348	winlogon.exe	99
PID 3348 wrote to memory of 4864	3348	winlogon.exe	99
PID 3348 wrote to memory of 4864	3348	winlogon.exe	99
PID 3348 wrote to memory of 4480	3348	winlogon.exe	100
PID 3348 wrote to memory of 4480	3348	winlogon.exe	100
PID 3348 wrote to memory of 4480	3348	winlogon.exe	100
PID 3348 wrote to memory of 4884	3348	winlogon.exe	101
PID 3348 wrote to memory of 4884	3348	winlogon.exe	101
PID 3348 wrote to memory of 4884	3348	winlogon.exe	101
PID 3348 wrote to memory of 1592	3348	winlogon.exe	102
PID 3348 wrote to memory of 1592	3348	winlogon.exe	102
PID 3348 wrote to memory of 1592	3348	winlogon.exe	102
PID 3348 wrote to memory of 3148	3348	winlogon.exe	150
PID 3348 wrote to memory of 3148	3348	winlogon.exe	150
PID 3348 wrote to memory of 3148	3348	winlogon.exe	150
PID 3348 wrote to memory of 4400	3348	winlogon.exe	104
PID 3348 wrote to memory of 4400	3348	winlogon.exe	104
PID 3348 wrote to memory of 4400	3348	winlogon.exe	104
PID 4400 wrote to memory of 3916	4400	Paraysutki_VM_Community	105

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Paraysutki_VM_Community
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

C:\Users\Admin\AppData\Local\Temp\737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe
"C:\Users\Admin\AppData\Local\Temp\737dbc28f25d830dfb1f315d51266eb823c65ee1392260f48c6288c41fd86e65.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2996
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1472
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:244
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4500
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:952
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1744
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5112
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3204
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4280
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4380
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2128
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3348
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4480
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3148
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3944
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3304
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4668
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1916
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:4232
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4024
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:3432
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:4592
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4388
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5068
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3508
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5048
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4508
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5012
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3872
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:3856
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3516
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:5080
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:5100
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        6⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3296
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        6⤵
        
        PID:1172
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:4488
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        6⤵
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3304
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3844
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2304
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4260
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4180
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2952
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3096
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4004
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4660
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4292
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4544
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        
        PID:2732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:4832
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:864
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:220
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5116
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3932
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:884
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:5408
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        6⤵
        
        PID:5416
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        6⤵
        
        PID:5632
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        6⤵
        
        PID:5640
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        6⤵
        
        PID:5648
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        5⤵
        
        PID:5656
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        
        PID:5812
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        
        PID:5864
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        
        PID:5916
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:1852
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:6408
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:6672
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:6688
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:6696
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        6⤵
        
        PID:6680
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        6⤵
        
        PID:6812
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:6996
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        6⤵
        
        PID:7004
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        6⤵
        
        PID:7012
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        
        PID:7020
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:6728
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:6720
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
      4⤵
      PID:6208
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      4⤵
      PID:6276
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      4⤵
      PID:6316
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        
        PID:6544
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        
        PID:6992
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        5⤵
        
        PID:6756
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        
        PID:6724
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        
        PID:6588
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        
        PID:6204
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        
        PID:6044
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        
        PID:6972
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        6⤵
        
        PID:6496
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        6⤵
        
        PID:7280
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        6⤵
        
        PID:7524
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:7540
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        6⤵
        
        PID:7548
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        5⤵
        
        PID:7532
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        
        PID:7688
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        
        PID:7932
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:7652
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:7864
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:7740
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:9112
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:7720
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        
        PID:8348
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:884
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:8076
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:9172
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:228
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:8416
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:8624
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:9556
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        Runs ping.exe
        
        PID:9884
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:9892
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        6⤵
        
        PID:9864
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        6⤵
        
        PID:9976
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:10116
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        6⤵
        
        PID:10124
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        6⤵
        
        PID:10132
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        
        PID:10140
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        Runs ping.exe
        
        PID:9436
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:10404
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        Runs ping.exe
        
        PID:9332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        Runs ping.exe
        
        PID:11164
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:11424
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:11536
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:11820
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:12124
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:11556
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:4372
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:1768
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:11592
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        Runs ping.exe
        
        PID:11724
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:11532
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:12112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:12580
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:12596
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:12656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:12748
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:12992
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:13092
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:13144
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:13236
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        
        PID:13268
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:12304
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:12112
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:12448
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:12600
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        
        PID:12828
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        Runs ping.exe
        
        PID:12876
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:12772
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:13196
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:13208
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:13296
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:12416
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:12940
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        
        PID:12916
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:12840
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:13196
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        
        PID:13044
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:12260
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        
        PID:13208
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:11332
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:12772
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:13492
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        
        PID:13500
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:13508
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        
        PID:13516
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        
        PID:13620
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        
        PID:13688
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        
        PID:13728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        
        PID:13804
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:13940
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:13972
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:14004
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:14036
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:14064
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:14100
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:14144
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:14196
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:14272
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:14328
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        
        PID:13792
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:14008
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:14012
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        
        PID:14268
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        Runs ping.exe
        
        PID:14196
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        
        PID:14260
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:14320
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:13964
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:14176
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:14332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:13728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:13912
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:14332
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:14020
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:13644
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:14176
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        12⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        12⤵
        
        PID:14020
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        12⤵
        Runs ping.exe
        
        PID:6440
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        12⤵
        Runs ping.exe
        
        PID:14176
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        12⤵
        
        PID:13808
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        
        PID:14332
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:14380
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        
        PID:14396
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:14404
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:14388
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:14476
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:14528
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:14580
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:14656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:14684
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:14712
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:14776
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:14816
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:14848
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:14884
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        12⤵
        
        PID:14912
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        12⤵
        
        PID:14952
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        12⤵
        
        PID:15000
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        12⤵
        Runs ping.exe
        
        PID:15016
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        12⤵
        
        PID:15024
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:15008
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:15092
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        
        PID:15164
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:15268
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        
        PID:15276
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:15284
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:15292
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        
        PID:14452
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        Runs ping.exe
        
        PID:14436
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        9⤵
        
        PID:14520
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        
        PID:14656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        
        PID:14784
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        
        PID:14872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:15052
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:14260
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:14664
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:14656
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:11480
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:14864
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:14872
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        12⤵
        
        PID:15076
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        12⤵
        
        PID:15092
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        12⤵
        Runs ping.exe
        
        PID:14316
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        12⤵
        
        PID:14256
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        12⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:15348
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        
        PID:14784
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:14480
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        
        PID:15076
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:15308
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        
        PID:15096
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        
        PID:15452
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:15492
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:15552
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        
        PID:15584
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        
        PID:15632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:15664
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:15692
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:15728
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        12⤵
        
        PID:15756
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        12⤵
        
        PID:15832
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        12⤵
        
        PID:16040
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        12⤵
        
        PID:16056
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        12⤵
        Runs ping.exe
        
        PID:16064
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:16048
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:16184
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        
        PID:16276
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        
        PID:15544
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        Runs ping.exe
        
        PID:15496
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        
        PID:15480
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        10⤵
        
        PID:15468
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        10⤵
        
        PID:15740
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        10⤵
        
        PID:15980
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        10⤵
        Runs ping.exe
        
        PID:16124
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        10⤵
        
        PID:16088
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        9⤵
        
        PID:16028
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        9⤵
        
        PID:15748
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        9⤵
        Runs ping.exe
        
        PID:13620
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        9⤵
        
        PID:15644
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        
        PID:15816
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        
        PID:15932
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        8⤵
        
        PID:15980
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        8⤵
        
        PID:16072
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        8⤵
        
        PID:16176
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        8⤵
        
        PID:16284
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        8⤵
        
        PID:15676
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        8⤵
        
        PID:15684
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        8⤵
        Runs ping.exe
        
        PID:15672
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        7⤵
        
        PID:15720
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        7⤵
        
        PID:15804
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        7⤵
        
        PID:15852
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        7⤵
        
        PID:15920
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        7⤵
        
        PID:16296
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        7⤵
        
        PID:16304
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        7⤵
        
        PID:16312
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        6⤵
        
        PID:14136
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        6⤵
        
        PID:14176
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        
        PID:14228
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        6⤵
        
        PID:14280
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        6⤵
        
        PID:13364
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        6⤵
        Runs ping.exe
        
        PID:13228
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        6⤵
        
        PID:13716
      - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        6⤵
        
        PID:13784
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        5⤵
        
        PID:11716
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        5⤵
        
        PID:12332
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:12452
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        5⤵
        
        PID:12460
    - - C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        5⤵
        Runs ping.exe
        
        PID:12468
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
      4⤵
      PID:9320
  - - C:\Windows\SysWOW64\ping.exe
      ping www.duniasex.com -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:9692
  - - C:\Windows\SysWOW64\ping.exe
      ping www.data0.net -n 65500 -l 1340
      4⤵
      PID:9744
  - - C:\Windows\SysWOW64\ping.exe
      ping www.rasasayang.com.my -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:9760
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    PID:7140
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    PID:6200
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
      4⤵
      PID:6268
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
      4⤵
      PID:6432
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
      4⤵
      PID:6808
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
      4⤵
      PID:6220
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      4⤵
      PID:6284
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
      4⤵
      PID:6388
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
      4⤵
      PID:5656
  - - C:\Windows\SysWOW64\ping.exe
      ping www.duniasex.com -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:6536
  - - C:\Windows\SysWOW64\ping.exe
      ping www.data0.net -n 65500 -l 1340
      4⤵
      PID:6252
  - - C:\Windows\SysWOW64\ping.exe
      ping www.rasasayang.com.my -n 65500 -l 1340
      4⤵
      Runs ping.exe
      PID:6204
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    3⤵
    PID:7164
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    PID:7248
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    PID:7816
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    PID:7824
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:7832
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
  2⤵
  PID:6860
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
  2⤵
  PID:6928
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
  2⤵
  PID:6980
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
    3⤵
    PID:7164
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
    3⤵
    PID:6300
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
    3⤵
    PID:6752
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
    3⤵
    PID:6216
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\ping.exe
    ping www.duniasex.com -n 65500 -l 1340
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\ping.exe
    ping www.data0.net -n 65500 -l 1340
    3⤵
    - Runs ping.exe
    PID:5360
- - C:\Windows\SysWOW64\ping.exe
    ping www.rasasayang.com.my -n 65500 -l 1340
    3⤵
    PID:6312
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  2⤵
  PID:6284
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
  2⤵
  PID:6900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
  2⤵
  PID:7272
- C:\Windows\SysWOW64\ping.exe
  ping www.duniasex.com -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:7592
- C:\Windows\SysWOW64\ping.exe
  ping www.data0.net -n 65500 -l 1340
  2⤵
  - Runs ping.exe
  PID:7600
- C:\Windows\SysWOW64\ping.exe
  ping www.rasasayang.com.my -n 65500 -l 1340
  2⤵
  PID:7608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
124KB

MD5
3bd2eaa3d770d2ae8693dab2b9de0e71

SHA1
94c1ea5f8ab5e9062655aeca20f6d839378eb3dc

SHA256
b838461a61977cbf7a9a09e09e8b8eb27eabc23c9b7be5f350c3ed3307ca7e5a

SHA512
d790ab27e205cc14de398764569483c85c1fb43d1e6316204e994d8b887e22e9c9559aa7eaa00a8abebe5375867638688d08b0b90a4a424ebcd8852cec64fddc

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
memory/244-86-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/748-318-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/864-300-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/952-101-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1088-125-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1472-82-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1472-78-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1544-361-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1592-161-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1744-106-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1920-247-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2024-557-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2024-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2128-134-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2140-262-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2356-227-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-184-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2756-202-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2900-286-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2900-282-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2952-328-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2996-72-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2996-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3148-168-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3188-108-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3188-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3204-117-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3304-192-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3304-197-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3304-301-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3304-384-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3348-213-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3348-191-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3508-258-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3508-232-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3708-365-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3844-272-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3912-370-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3916-177-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4004-309-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4036-113-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4036-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4180-296-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4180-293-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4292-322-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4380-128-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4388-264-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4388-374-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4388-248-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4388-326-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4400-209-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4440-366-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4440-504-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4440-382-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4440-452-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4440-486-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4500-98-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4508-237-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4660-313-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4668-207-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4864-147-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4940-244-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4940-415-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4940-445-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5012-252-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5012-249-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5044-314-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5044-375-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5044-281-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5048-236-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5104-256-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5112-267-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5112-164-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5116-354-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5116-334-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5116-331-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5160-380-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5160-427-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5228-419-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5228-423-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5488-434-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5656-418-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5656-519-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5704-439-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5728-495-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5792-443-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5812-387-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5828-458-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5916-396-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5932-449-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5952-435-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5952-454-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6020-400-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6056-407-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6088-411-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6200-533-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6204-477-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6204-475-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6240-481-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6272-485-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6276-536-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6284-577-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6304-490-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6400-497-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6492-502-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6680-509-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6756-583-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6968-564-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6980-570-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads