Analysis
-
max time kernel
8s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 03:35
Static task
static1
Behavioral task
behavioral1
Sample
ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe
Resource
win10v2004-20241007-en
General
-
Target
ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe
-
Size
88KB
-
MD5
34d29624c1651056798edac993da1fe0
-
SHA1
fca66a2211be7fb7261d9bad43a1b48a6e753f1d
-
SHA256
ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffc
-
SHA512
5908c8666fd1c1aa7583a6ca03d4a57915bd7c3777b16be058cb03ec92072de267bf8f7b3af3360460d4adef91bcf7abe1d01ea72ef42acb564f19a3fed7d54c
-
SSDEEP
768:GMXkE7U60L5jTgc/iPQc0Ic+a+GlKyHu0y3u02qU6E4/IJe/nbcuyD7UIu:GMUYU6U5jUdPQc+n35KZg8/nouy8Iu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Paraysutki_VM_Community Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Paraysutki_VM_Community Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Paraysutki_VM_Community Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Paraysutki_VM_Community -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Paraysutki_VM_Community Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Paraysutki_VM_Community -
Disables RegEdit via registry modification 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Paraysutki_VM_Community Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Paraysutki_VM_Community Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe winlogon.exe -
Executes dropped EXE 40 IoCs
pid Process 2260 csrss.exe 5036 csrss.exe 2080 smss.exe 2216 csrss.exe 4904 smss.exe 3280 lsass.exe 2076 csrss.exe 3240 smss.exe 4292 lsass.exe 1588 services.exe 2524 csrss.exe 1932 smss.exe 1376 lsass.exe 3556 services.exe 412 winlogon.exe 1752 csrss.exe 4872 smss.exe 1428 lsass.exe 1624 services.exe 2496 winlogon.exe 648 Paraysutki_VM_Community 2704 csrss.exe 2136 smss.exe 2640 lsass.exe 372 services.exe 2508 winlogon.exe 4500 Paraysutki_VM_Community 3752 Paraysutki_VM_Community 4536 csrss.exe 1100 smss.exe 1756 lsass.exe 2836 services.exe 4472 winlogon.exe 952 csrss.exe 1204 smss.exe 1692 lsass.exe 3720 services.exe 2420 winlogon.exe 2496 Paraysutki_VM_Community 4620 Paraysutki_VM_Community -
Loads dropped DLL 40 IoCs
pid Process 2260 csrss.exe 5036 csrss.exe 2080 smss.exe 2216 csrss.exe 4904 smss.exe 3280 lsass.exe 2076 csrss.exe 3240 smss.exe 4292 lsass.exe 1588 services.exe 2524 csrss.exe 1932 smss.exe 1376 lsass.exe 3556 services.exe 412 winlogon.exe 1752 csrss.exe 4872 smss.exe 1428 lsass.exe 1624 services.exe 2496 winlogon.exe 648 Paraysutki_VM_Community 2704 csrss.exe 2136 smss.exe 2640 lsass.exe 372 services.exe 2508 winlogon.exe 4500 Paraysutki_VM_Community 3752 Paraysutki_VM_Community 4536 csrss.exe 1100 smss.exe 1756 lsass.exe 2836 services.exe 4472 winlogon.exe 952 csrss.exe 1204 smss.exe 1692 lsass.exe 3720 services.exe 2420 winlogon.exe 2496 Paraysutki_VM_Community 4620 Paraysutki_VM_Community -
Modifies system executable filetype association 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt Paraysutki_VM_Community -
Adds Run key to start application 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Paraysutki_VM_Community Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Paraysutki_VM_Community Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe Paraysutki_VM_Community File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll Paraysutki_VM_Community File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe Paraysutki_VM_Community File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe Paraysutki_VM_Community File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe services.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe Paraysutki_VM_Community File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe smss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe lsass.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll Paraysutki_VM_Community File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe Paraysutki_VM_Community File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe Paraysutki_VM_Community File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ csrss.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe smss.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community Paraysutki_VM_Community File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ services.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1480 9984 WerFault.exe 1036 392 8132 WerFault.exe 1032 -
System Location Discovery: System Language Discovery 1 TTPs 51 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paraysutki_VM_Community Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 11384 ping.exe 11836 ping.exe 6552 ping.exe 6564 ping.exe 8844 ping.exe 9696 ping.exe 9992 ping.exe 7252 ping.exe 412 ping.exe 6940 ping.exe 10732 ping.exe 13232 ping.exe 10016 ping.exe 9660 ping.exe 11688 ping.exe 11732 ping.exe 6100 ping.exe 14060 ping.exe 12144 ping.exe 12908 ping.exe 5472 ping.exe 8784 ping.exe 10008 ping.exe 5124 ping.exe 9472 ping.exe 11844 ping.exe 7992 ping.exe 11940 ping.exe 14056 ping.exe 10532 ping.exe 9432 ping.exe 6696 ping.exe 5192 ping.exe 8296 ping.exe 5500 ping.exe 6324 ping.exe 8860 ping.exe 14168 ping.exe 8744 ping.exe 7836 ping.exe 1720 ping.exe 13316 ping.exe 7232 ping.exe 14836 ping.exe 6444 ping.exe 12760 ping.exe 12916 ping.exe 7604 ping.exe 6688 ping.exe 7824 ping.exe 4616 ping.exe 9720 ping.exe 10504 ping.exe 4088 ping.exe 2112 ping.exe 5664 ping.exe 10804 ping.exe 12148 ping.exe 11464 ping.exe 1152 ping.exe 8184 ping.exe 11156 ping.exe 13832 ping.exe 2220 ping.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main Paraysutki_VM_Community Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" Paraysutki_VM_Community Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main Paraysutki_VM_Community Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" Paraysutki_VM_Community Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" winlogon.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Paraysutki_VM_Community Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Paraysutki_VM_Community -
Runs ping.exe 1 TTPs 64 IoCs
pid Process 8784 ping.exe 8184 ping.exe 5680 ping.exe 6084 ping.exe 8844 ping.exe 8172 ping.exe 4616 ping.exe 11988 ping.exe 7992 ping.exe 5392 ping.exe 6916 ping.exe 14168 ping.exe 13832 ping.exe 6488 ping.exe 10488 ping.exe 11384 ping.exe 3468 ping.exe 6476 ping.exe 5192 ping.exe 7852 ping.exe 7060 ping.exe 7148 ping.exe 8504 ping.exe 5648 ping.exe 6540 ping.exe 7544 ping.exe 9432 ping.exe 9992 ping.exe 12380 ping.exe 6664 ping.exe 7252 ping.exe 6140 ping.exe 7232 ping.exe 15260 ping.exe 14796 ping.exe 3936 ping.exe 13316 ping.exe 6100 ping.exe 14200 ping.exe 7116 ping.exe 10780 ping.exe 9364 ping.exe 4504 ping.exe 5124 ping.exe 8060 ping.exe 7720 ping.exe 5344 ping.exe 10128 ping.exe 10732 ping.exe 12216 ping.exe 1600 ping.exe 7528 ping.exe 9060 ping.exe 8712 ping.exe 9720 ping.exe 10540 ping.exe 12772 ping.exe 13920 ping.exe 6440 ping.exe 10756 ping.exe 4484 ping.exe 8052 ping.exe 8068 ping.exe 8552 ping.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2476 rundll32.exe 2412 rundll32.exe -
Suspicious use of SetWindowsHookEx 45 IoCs
pid Process 4604 ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe 2260 csrss.exe 5036 csrss.exe 2080 smss.exe 2216 csrss.exe 4904 smss.exe 3280 lsass.exe 2076 csrss.exe 3240 smss.exe 4292 lsass.exe 1588 services.exe 2524 csrss.exe 1932 smss.exe 1376 lsass.exe 3556 services.exe 412 winlogon.exe 1752 csrss.exe 4872 smss.exe 1428 lsass.exe 1624 services.exe 2496 winlogon.exe 648 Paraysutki_VM_Community 2704 csrss.exe 2136 smss.exe 2640 lsass.exe 372 services.exe 2508 winlogon.exe 4500 Paraysutki_VM_Community 3752 Paraysutki_VM_Community 4536 csrss.exe 1100 smss.exe 1756 lsass.exe 2836 services.exe 2412 rundll32.exe 2412 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 4472 winlogon.exe 952 csrss.exe 1204 smss.exe 1692 lsass.exe 3720 services.exe 2420 winlogon.exe 2496 Paraysutki_VM_Community 4620 Paraysutki_VM_Community -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4604 wrote to memory of 2260 4604 ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe 84 PID 4604 wrote to memory of 2260 4604 ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe 84 PID 4604 wrote to memory of 2260 4604 ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe 84 PID 2260 wrote to memory of 5036 2260 csrss.exe 86 PID 2260 wrote to memory of 5036 2260 csrss.exe 86 PID 2260 wrote to memory of 5036 2260 csrss.exe 86 PID 2260 wrote to memory of 2080 2260 csrss.exe 87 PID 2260 wrote to memory of 2080 2260 csrss.exe 87 PID 2260 wrote to memory of 2080 2260 csrss.exe 87 PID 2080 wrote to memory of 2216 2080 smss.exe 89 PID 2080 wrote to memory of 2216 2080 smss.exe 89 PID 2080 wrote to memory of 2216 2080 smss.exe 89 PID 2080 wrote to memory of 4904 2080 smss.exe 90 PID 2080 wrote to memory of 4904 2080 smss.exe 90 PID 2080 wrote to memory of 4904 2080 smss.exe 90 PID 2080 wrote to memory of 3280 2080 smss.exe 92 PID 2080 wrote to memory of 3280 2080 smss.exe 92 PID 2080 wrote to memory of 3280 2080 smss.exe 92 PID 3280 wrote to memory of 2076 3280 lsass.exe 93 PID 3280 wrote to memory of 2076 3280 lsass.exe 93 PID 3280 wrote to memory of 2076 3280 lsass.exe 93 PID 3280 wrote to memory of 3240 3280 lsass.exe 94 PID 3280 wrote to memory of 3240 3280 lsass.exe 94 PID 3280 wrote to memory of 3240 3280 lsass.exe 94 PID 3280 wrote to memory of 4292 3280 lsass.exe 95 PID 3280 wrote to memory of 4292 3280 lsass.exe 95 PID 3280 wrote to memory of 4292 3280 lsass.exe 95 PID 3280 wrote to memory of 1588 3280 lsass.exe 96 PID 3280 wrote to memory of 1588 3280 lsass.exe 96 PID 3280 wrote to memory of 1588 3280 lsass.exe 96 PID 1588 wrote to memory of 2524 1588 services.exe 97 PID 1588 wrote to memory of 2524 1588 services.exe 97 PID 1588 wrote to memory of 2524 1588 services.exe 97 PID 1588 wrote to memory of 1932 1588 services.exe 98 PID 1588 wrote to memory of 1932 1588 services.exe 98 PID 1588 wrote to memory of 1932 1588 services.exe 98 PID 1588 wrote to memory of 1376 1588 services.exe 99 PID 1588 wrote to memory of 1376 1588 services.exe 99 PID 1588 wrote to memory of 1376 1588 services.exe 99 PID 1588 wrote to memory of 3556 1588 services.exe 188 PID 1588 wrote to memory of 3556 1588 services.exe 188 PID 1588 wrote to memory of 3556 1588 services.exe 188 PID 1588 wrote to memory of 412 1588 services.exe 101 PID 1588 wrote to memory of 412 1588 services.exe 101 PID 1588 wrote to memory of 412 1588 services.exe 101 PID 412 wrote to memory of 1752 412 winlogon.exe 102 PID 412 wrote to memory of 1752 412 winlogon.exe 102 PID 412 wrote to memory of 1752 412 winlogon.exe 102 PID 412 wrote to memory of 4872 412 winlogon.exe 103 PID 412 wrote to memory of 4872 412 winlogon.exe 103 PID 412 wrote to memory of 4872 412 winlogon.exe 103 PID 412 wrote to memory of 1428 412 winlogon.exe 104 PID 412 wrote to memory of 1428 412 winlogon.exe 104 PID 412 wrote to memory of 1428 412 winlogon.exe 104 PID 412 wrote to memory of 1624 412 winlogon.exe 105 PID 412 wrote to memory of 1624 412 winlogon.exe 105 PID 412 wrote to memory of 1624 412 winlogon.exe 105 PID 412 wrote to memory of 2496 412 winlogon.exe 143 PID 412 wrote to memory of 2496 412 winlogon.exe 143 PID 412 wrote to memory of 2496 412 winlogon.exe 143 PID 412 wrote to memory of 648 412 winlogon.exe 107 PID 412 wrote to memory of 648 412 winlogon.exe 107 PID 412 wrote to memory of 648 412 winlogon.exe 107 PID 648 wrote to memory of 2704 648 Paraysutki_VM_Community 108 -
System policy modification 1 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Paraysutki_VM_Community Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Paraysutki_VM_Community Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Paraysutki_VM_Community
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe"C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2216
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4904
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3240
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4292
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1932
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3556
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:412 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1752
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4872
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1428
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1624
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:648 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2136
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:372
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4500
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:1600
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4088
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2412
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
PID:4640
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3752 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4536
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1756
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4472 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:952
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1204
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3720
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵
- System Location Discovery: System Language Discovery
PID:1400
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵PID:1688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:2136
-
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
PID:3468
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2112
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4620
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- System Location Discovery: System Language Discovery
PID:3184
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
PID:4504
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵PID:4488
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵PID:5100
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵PID:2152
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵PID:2836
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵PID:3520
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵PID:1324
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵PID:4272
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵PID:1776
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵PID:808
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵PID:4620
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵PID:876
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵PID:536
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵PID:2564
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵PID:1776
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵PID:3676
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵PID:2132
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵PID:1588
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵PID:4544
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵PID:3752
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵PID:612
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵PID:1120
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵PID:3176
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵PID:4572
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵PID:4472
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵PID:3200
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵PID:3676
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵PID:952
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵PID:8
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
PID:5392
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵PID:5400
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵PID:5408
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵PID:5384
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵PID:5468
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵PID:5628
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
PID:6084
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵PID:6092
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6100
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵PID:6076
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵PID:5300
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5124
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵PID:5268
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵PID:5976
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe4⤵PID:5448
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵PID:5544
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community4⤵PID:5636
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵PID:5852
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5472
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵PID:5384
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13404⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5500
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe3⤵PID:5124
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe3⤵PID:5216
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵PID:5288
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community3⤵PID:5344
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵PID:5552
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵PID:5836
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵PID:6056
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe4⤵PID:4616
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵PID:5288
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵PID:5892
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵PID:5220
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵PID:764
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵PID:6176
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵PID:6236
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵PID:6280
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵PID:6324
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵PID:6356
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵PID:6384
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵PID:6416
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵PID:6440
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵PID:6476
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵PID:6504
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵PID:6532
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵PID:6568
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵PID:6608
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵PID:6672
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6688
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6696
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵PID:6680
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵PID:6816
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
PID:6916
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵PID:6932
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6940
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵PID:6924
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵PID:7040
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵PID:7104
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵PID:7160
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵PID:5576
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵PID:6236
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵PID:6332
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵PID:6372
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵PID:6356
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵PID:6428
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵PID:6464
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵PID:2156
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
PID:6540
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6564
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6552
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵PID:6536
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵PID:1996
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵PID:6784
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵PID:2012
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
PID:7060
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
PID:7116
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- Runs ping.exe
PID:6664
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵PID:7144
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵PID:6376
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6444
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
PID:6488
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- Runs ping.exe
PID:6476
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵PID:6440
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵PID:6836
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵PID:7064
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵PID:6324
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵PID:5828
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵PID:7104
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵PID:6364
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵PID:6240
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵PID:6504
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵PID:7236
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵PID:7288
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵PID:7320
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵PID:7348
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵PID:7376
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵PID:7452
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
PID:7528
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵
- Runs ping.exe
PID:7544
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵PID:7552
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵PID:7536
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵PID:7664
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7836
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
PID:7852
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵PID:7860
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵PID:7844
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵PID:7952
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵PID:8024
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵PID:8132
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵PID:6360
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵PID:6256
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵PID:7440
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵PID:6240
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵PID:7628
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵PID:7692
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵PID:7784
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵PID:7832
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵PID:7056
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵PID:7960
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵PID:8084
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe10⤵PID:8168
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵PID:7372
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community10⤵PID:7504
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵PID:7440
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
- Runs ping.exe
PID:7720
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵PID:7752
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7824
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵PID:7756
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
PID:5344
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵PID:7960
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵PID:5372
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵PID:7992
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵PID:7356
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵PID:7448
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵PID:7884
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵PID:7992
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵PID:7612
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵PID:6360
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵PID:8236
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵PID:8284
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe10⤵PID:8320
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵PID:8364
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community10⤵PID:8400
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵PID:8444
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
- Runs ping.exe
PID:8504
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵PID:8520
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134010⤵PID:8528
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵PID:8512
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵PID:8604
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵PID:8660
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵PID:8696
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵PID:8768
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8844
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵PID:8852
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8860
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵PID:8868
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵
- Runs ping.exe
PID:9060
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵PID:9076
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵PID:9084
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵PID:9068
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵PID:8280
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵PID:8284
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵PID:8412
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵PID:7612
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵PID:8712
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵PID:8764
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵PID:8920
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵PID:9172
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵PID:8436
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7252
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵PID:8368
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵PID:8480
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵PID:8728
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe8⤵PID:9192
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵PID:9204
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community8⤵PID:8344
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵PID:8292
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵PID:9288
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵PID:9396
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵PID:9496
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe10⤵PID:9572
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵PID:9644
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵PID:9696
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵PID:9768
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵PID:9820
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵PID:9848
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵PID:9884
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe12⤵PID:9920
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵PID:9952
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community12⤵PID:10012
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵PID:10052
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵PID:10104
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵PID:10120
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134012⤵
- Runs ping.exe
PID:10128
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵PID:10108
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵PID:10196
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵PID:4616
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵PID:9344
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- Runs ping.exe
PID:6440
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9432
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵PID:9552
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵PID:8804
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community10⤵PID:9716
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵PID:4972
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵PID:9920
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9992
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10008
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵PID:9944
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵PID:8932
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵PID:10180
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵PID:10232
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵PID:9636
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵PID:1148
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵PID:2488
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵PID:9844
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵PID:9908
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵PID:8376
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe12⤵PID:10196
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵PID:9604
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community12⤵PID:10096
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵PID:8432
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9720
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:9696
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134012⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4616
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵PID:10076
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵PID:9904
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵PID:10256
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵PID:10312
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe12⤵PID:10356
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵PID:10420
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵PID:10460
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵PID:10508
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵PID:10540
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵PID:10568
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵PID:10600
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵PID:10648
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10732
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵PID:10748
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- Runs ping.exe
PID:10756
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵PID:10740
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community12⤵PID:10844
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵PID:10968
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵PID:11140
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11156
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134012⤵PID:11164
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵PID:11148
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵PID:10292
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10504
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵PID:10512
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10532
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵PID:10464
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵PID:10676
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵PID:10832
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵PID:10912
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵PID:10844
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe12⤵PID:11136
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵PID:10476
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵PID:11220
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵PID:10184
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵PID:10180
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵PID:10884
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵PID:10848
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵PID:11056
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵PID:11024
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe14⤵PID:10296
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵PID:10476
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community14⤵PID:11220
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen14⤵PID:11148
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134014⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10804
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134014⤵PID:6300
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134014⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:9660
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵PID:10848
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵PID:10572
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
PID:10488
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵PID:10184
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵PID:9928
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵PID:216
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵PID:11324
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵PID:11400
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵PID:11508
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵PID:11564
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵PID:11628
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵PID:11672
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵PID:11796
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵PID:11920
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11940
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵PID:11948
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community12⤵PID:11928
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵PID:12072
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵PID:11296
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11464
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134012⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11384
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵PID:11456
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵PID:11712
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵PID:11692
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵PID:11864
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵PID:11232
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵PID:12196
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵PID:11548
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11688
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵PID:11664
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵PID:11508
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe10⤵PID:11772
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵PID:12216
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community10⤵PID:11764
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵PID:12100
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11732
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
- Runs ping.exe
PID:12216
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11844
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵PID:11432
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵PID:11472
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵PID:11584
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵PID:11692
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe10⤵PID:11740
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵PID:11776
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community10⤵PID:11832
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵PID:11884
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵PID:12132
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12148
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134010⤵PID:12156
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵PID:12140
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵PID:12252
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵PID:11540
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵PID:11608
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe10⤵PID:11696
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵PID:11760
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵PID:11468
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵PID:11172
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵PID:11784
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe12⤵PID:11728
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵PID:11232
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community12⤵PID:11564
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵PID:11784
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵
- Runs ping.exe
PID:10540
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵
- Runs ping.exe
PID:11988
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134012⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11836
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵PID:10676
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵PID:12384
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵PID:12456
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵PID:12480
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵PID:12532
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵PID:12592
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵PID:12652
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵PID:12720
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe14⤵PID:12744
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵PID:12776
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community14⤵PID:12816
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen14⤵PID:12852
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134014⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12908
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134014⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12916
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134014⤵PID:12924
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵PID:12932
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵PID:13024
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵PID:13060
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵PID:13116
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵PID:13212
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵PID:13224
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:13232
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵PID:13208
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵PID:11932
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵PID:12364
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵PID:12464
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵PID:12252
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵PID:12628
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe14⤵PID:12592
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵PID:12724
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community14⤵PID:12772
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen14⤵PID:708
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134014⤵PID:12824
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134014⤵PID:12880
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134014⤵PID:12904
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵PID:12860
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵PID:13024
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵PID:13060
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵PID:13264
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵PID:13244
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵PID:12564
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵PID:12752
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵PID:12768
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12760
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe12⤵PID:12788
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵PID:8500
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community12⤵PID:13296
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵PID:12784
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵PID:3128
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵
- Runs ping.exe
PID:12380
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134012⤵PID:3532
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵PID:12556
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵PID:1008
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵PID:13380
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵PID:13472
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵PID:13540
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵PID:13616
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵PID:13660
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe14⤵PID:13692
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵PID:13724
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵PID:13764
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵PID:13800
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵PID:13836
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵PID:13868
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵PID:13896
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵PID:13928
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵PID:13964
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵PID:13988
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵PID:14020
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe16⤵PID:14048
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵PID:14080
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community16⤵PID:14112
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen16⤵PID:14144
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134016⤵PID:14192
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134016⤵
- Runs ping.exe
PID:14200
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134016⤵PID:14208
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵PID:14216
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1720
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵PID:13332
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2220
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community14⤵PID:13372
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵PID:2872
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵PID:13588
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵PID:13652
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵PID:13664
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵PID:13736
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵PID:13768
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵PID:13804
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵PID:13864
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe16⤵PID:13872
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵PID:13936
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community16⤵PID:13952
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen16⤵PID:13996
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134016⤵PID:14040
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134016⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:14060
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134016⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:14056
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵PID:3380
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵PID:5232
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12144
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- Runs ping.exe
PID:5648
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵PID:5600
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen14⤵PID:5704
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134014⤵PID:5968
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134014⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:412
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134014⤵
- Runs ping.exe
PID:6140
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵PID:6008
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵PID:3844
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵PID:13660
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵PID:10472
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵PID:13956
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵PID:14052
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe14⤵PID:5328
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵PID:5636
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community14⤵PID:4092
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen14⤵PID:13864
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134014⤵PID:14024
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134014⤵PID:6764
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134014⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:14168
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵PID:13968
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵PID:13836
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
PID:4484
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵PID:6272
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵PID:6340
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵PID:5860
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵PID:13336
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵PID:13976
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵PID:6628
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵PID:6864
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵PID:3688
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵PID:13832
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵PID:13872
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵PID:9876
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵PID:13724
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵PID:14044
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵PID:3408
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe12⤵PID:6828
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵PID:6852
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵PID:6400
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵PID:4464
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵PID:5720
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵PID:1584
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵PID:7404
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe14⤵PID:7828
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵PID:5720
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵PID:8184
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵PID:7248
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵PID:7384
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe16⤵PID:13960
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵PID:7680
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community16⤵PID:7148
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe17⤵PID:7908
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe17⤵PID:11872
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe17⤵PID:7340
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe17⤵PID:7384
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe17⤵PID:7908
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community17⤵PID:7804
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵PID:7432
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵PID:7176
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7232
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134017⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8184
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen16⤵PID:7072
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134016⤵PID:7908
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134016⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7604
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134016⤵
- Runs ping.exe
PID:7148
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵PID:7380
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵PID:14424
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵PID:14496
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵PID:14536
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵PID:14564
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵PID:14628
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe17⤵PID:14684
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe17⤵PID:14720
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe17⤵PID:14760
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe17⤵PID:14780
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe17⤵PID:14812
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community17⤵PID:14852
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen17⤵PID:14892
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134017⤵PID:14940
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134017⤵PID:14956
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134017⤵PID:14968
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵PID:14944
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵PID:15052
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe16⤵PID:15116
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵PID:15184
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community16⤵PID:15248
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen16⤵PID:15344
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134016⤵PID:14548
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134016⤵PID:14580
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134016⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8744
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵PID:8760
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵PID:14760
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- Runs ping.exe
PID:14796
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:14836
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵PID:14804
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community14⤵PID:8384
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵PID:2856
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵PID:14520
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵PID:2740
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
- Runs ping.exe
PID:9364
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵PID:14912
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵PID:9368
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen14⤵PID:14948
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134014⤵PID:6636
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134014⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7992
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134014⤵PID:8132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8132 -s 25615⤵
- Program crash
PID:392
-
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵PID:12512
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵PID:14428
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵PID:14540
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵PID:9032
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵PID:14780
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵PID:14936
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵PID:8476
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵PID:15340
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community16⤵PID:8808
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen16⤵PID:14572
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134016⤵PID:14932
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134016⤵PID:8332
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134016⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8296
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵PID:3620
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵PID:7828
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵PID:15188
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵PID:14880
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵PID:14772
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵PID:8428
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵PID:9984
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵PID:9724
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵PID:8360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9984 -s 54815⤵
- Program crash
PID:1480
-
-
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵PID:8424
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community12⤵PID:14996
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵PID:15072
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵
- Runs ping.exe
PID:15260
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵PID:15268
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134012⤵PID:15276
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵PID:13588
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵PID:5552
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵PID:13840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵PID:5588
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵PID:13936
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵PID:14128
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe12⤵PID:13516
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵PID:5108
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community12⤵PID:7012
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen12⤵PID:6344
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134012⤵PID:372
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134012⤵PID:14188
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134012⤵PID:1524
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵PID:14112
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13832
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- Runs ping.exe
PID:13920
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵PID:4188
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵PID:1480
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community10⤵PID:12732
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen10⤵PID:5104
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1152
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134010⤵
- Runs ping.exe
PID:12772
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134010⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13316
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵PID:12468
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵PID:12648
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵PID:12948
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵PID:13128
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵PID:13252
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen8⤵PID:10612
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13408⤵PID:10764
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13408⤵PID:10772
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13408⤵
- Runs ping.exe
PID:10780
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵PID:10040
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵PID:10016
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵PID:3640
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵PID:9592
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵PID:9804
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
PID:3936
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵PID:4676
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10016
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵PID:9276
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵PID:9328
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:9472
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵PID:9480
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵PID:9488
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵PID:9132
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵PID:8200
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵PID:5092
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵PID:8112
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵PID:8552
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵PID:8756
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵PID:7884
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵PID:9056
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵PID:9196
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵PID:8200
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
PID:8712
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
PID:8552
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8784
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵PID:8908
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵PID:8724
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
PID:8172
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵PID:3956
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵PID:7612
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community4⤵PID:7684
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵PID:7764
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- Runs ping.exe
PID:8052
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- Runs ping.exe
PID:8060
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13404⤵
- Runs ping.exe
PID:8068
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵PID:1996
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5192
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6324
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13403⤵PID:6392
-
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe2⤵PID:2132
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe2⤵PID:1552
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe2⤵PID:2564
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe2⤵PID:3556
-
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community2⤵PID:3752
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen2⤵PID:5168
-
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13402⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5664
-
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13402⤵PID:5672
-
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13402⤵
- Runs ping.exe
PID:5680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8132 -ip 81321⤵PID:10228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 9984 -ip 99841⤵PID:10216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
88KB
MD5009e3861702826b6d8588e066f6ca2fd
SHA1b66405fbce246a34232355092ae98e0926812334
SHA25699a193d6f03885a92c6bcaa6c5899d6a57c82aa458342bbd55cb8a0ba6d4588f
SHA512af838535dec2457ee67db716d68a612b7ae8dbf851005d5d7262694a6dd9ee730401964e22618a682e3e9fed287c78d7b3a4eeb78f80895b397cdd2b68af5b73