Analysis Overview
SHA256
ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffc
Threat Level: Known bad
The file ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visiblity of hidden/system files in Explorer
Modifies visibility of file extensions in Explorer
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Event Triggered Execution: Image File Execution Options Injection
Disables use of System Restore points
Modifies system executable filetype association
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
System policy modification
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies registry class
Runs ping.exe
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-04 03:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 03:35
Reported
2024-11-04 03:37
Platform
win7-20240708-en
Max time kernel
97s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe
"C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5605940641269039788-445443527371783988-6600660581223837587-1317849185-50233095"
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "75634532514606534635748891641407020211511341031-105881179217592710701681993797"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15912253-1509587398-930744138-12535138521443526572145726408720950708961818933087"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1825892863-15550815621052381199578072821-610023670-1825989783529182070804254635"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2087386544-1879308258-1486164861994652795970299340994749832-16425222821023957902"
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "955784522-20223004291867173043171912267957886901-420939604-1618495841661699576"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2122246977-1193117179568458483-367630809-1822021340-1493552178-1370226456-1741782128"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1626072606-6891118361921693801-1298783698-1232555312585518155912963967-1106179271"
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18064085871320071988-1218420189122741900340285590810733521511091874611044644180"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-396825016574686410-519461480-23220256-559233788-5315552022120898733423583194"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1962114054-4643380341751303444223582670-21285241711908480922754218838425239565"
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1684469261-1413525995566492720-211455757-13375390271082771293-836694967229238677"
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1778782170-1669382070-7723147854099311431402719681408326410-1296963645-1279245562"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2116171328-409472986133124635215430721737424475157155013341607212670-1279022169"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1391833884-1890449808-16730662431438942750-1816569638362452832-929978383-70538558"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2035739742035735631586326504-327321090-1993594712-952793019-309396241444592415"
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4625307871179718363-1995894559-6107767521130365010-90596498-902393489-1091837797"
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15486866271308361070-17898346351599265374-1683648208-867608250-2026203217-1070308512"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20221312418860249131684033379648454605140722134555382503513187642341306026678"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "241132827-1323322620-18081712001223600345-1936060428167637869-214816151-79079565"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "569902827932923705200742450-127768312-19253785443758549821558883279-2033954436"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2034036671285862351226453745-180439613-1688337262-618483486510003863-2143602185"
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "636845383804845984-20119101781645012384-401109085204199747151694833633291092"
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1518241953473270397-235997011-528219479-52916643426836172010852937741029466586"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9020334718580142482014137287-198686551-52603816516711214851297458163-932420856"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.data0.net | udp |
| US | 8.8.8.8:53 | www.rasasayang.com.my | udp |
| US | 8.8.8.8:53 | www.duniasex.com | udp |
| US | 8.8.8.8:53 | www.data0.net | udp |
| US | 8.8.8.8:53 | www.rasasayang.com.my | udp |
| US | 8.8.8.8:53 | www.duniasex.com | udp |
Files
memory/2356-0-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
| MD5 | 63a081776c5c980c3363c657eb617f98 |
| SHA1 | 3d338a6a820dc1edd44154e2a42669ca67f0cf19 |
| SHA256 | 685d3e7d5da56ec559726096a62d969a6e68469fade2b7fc27d77effb4e904ec |
| SHA512 | 884b26037d487dffd57907c0adc649a31d4cbd35b91f9f3cb2e9a84c16a291bf42ed97ab67f83ad81fd1d0bf0de87b7f3b84cfe3a1fb23518bd21b6e671d80ad |
memory/2012-62-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL
| MD5 | 5343a19c618bc515ceb1695586c6c137 |
| SHA1 | 4dedae8cbde066f31c8e6b52c0baa3f8b1117742 |
| SHA256 | 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce |
| SHA512 | 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606 |
memory/2356-60-0x00000000003B0000-0x00000000003D6000-memory.dmp
memory/2356-59-0x00000000003B0000-0x00000000003D6000-memory.dmp
memory/2012-76-0x00000000003D0000-0x00000000003F6000-memory.dmp
memory/2012-75-0x00000000003D0000-0x00000000003F6000-memory.dmp
memory/2788-83-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2356-91-0x00000000003B0000-0x00000000003D6000-memory.dmp
memory/2356-90-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2356-95-0x00000000003B0000-0x00000000003D6000-memory.dmp
memory/2940-94-0x00000000004B0000-0x00000000004D6000-memory.dmp
memory/2588-97-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2588-104-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2012-101-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2012-115-0x00000000003D0000-0x00000000003F6000-memory.dmp
memory/2604-113-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2940-112-0x00000000004B0000-0x00000000004D6000-memory.dmp
memory/2940-122-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2624-129-0x0000000000530000-0x0000000000556000-memory.dmp
memory/1484-140-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2092-139-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1484-144-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1536-149-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2624-146-0x0000000000530000-0x0000000000556000-memory.dmp
memory/1536-156-0x0000000000280000-0x00000000002A6000-memory.dmp
memory/2624-155-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2040-166-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1536-165-0x0000000000280000-0x00000000002A6000-memory.dmp
memory/2624-163-0x0000000000530000-0x0000000000556000-memory.dmp
memory/2624-173-0x0000000000530000-0x0000000000556000-memory.dmp
memory/1588-172-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2860-185-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2624-183-0x0000000000530000-0x0000000000556000-memory.dmp
memory/2624-181-0x0000000000530000-0x0000000000556000-memory.dmp
memory/1536-191-0x0000000000400000-0x0000000000426000-memory.dmp
memory/816-190-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1536-192-0x0000000000280000-0x00000000002A6000-memory.dmp
memory/1536-196-0x0000000000280000-0x00000000002A6000-memory.dmp
memory/1536-195-0x0000000000280000-0x00000000002A6000-memory.dmp
memory/2896-200-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2396-199-0x00000000004B0000-0x00000000004D6000-memory.dmp
memory/1536-207-0x0000000000280000-0x00000000002A6000-memory.dmp
memory/2864-206-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2396-208-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2864-210-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2856-214-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1072-218-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1056-221-0x0000000000430000-0x0000000000456000-memory.dmp
memory/1056-225-0x0000000000430000-0x0000000000456000-memory.dmp
memory/956-226-0x0000000000400000-0x0000000000426000-memory.dmp
memory/828-229-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1056-232-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1640-234-0x0000000000400000-0x0000000000426000-memory.dmp
memory/620-238-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2088-241-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1056-244-0x0000000000430000-0x0000000000456000-memory.dmp
memory/2088-243-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1564-247-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1056-249-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1508-250-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1508-256-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/2324-259-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1508-258-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/2196-263-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1536-266-0x0000000000280000-0x00000000002A6000-memory.dmp
memory/1508-267-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2508-272-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2532-271-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1508-268-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/2532-274-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2528-277-0x00000000003A0000-0x00000000003C6000-memory.dmp
memory/2816-281-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2528-282-0x00000000003A0000-0x00000000003C6000-memory.dmp
memory/2764-289-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2756-297-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2748-299-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2528-293-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2528-292-0x00000000003A0000-0x00000000003C6000-memory.dmp
memory/2824-303-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2132-307-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2528-304-0x00000000003A0000-0x00000000003C6000-memory.dmp
memory/2132-310-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1536-317-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2624-313-0x0000000000530000-0x0000000000556000-memory.dmp
memory/2624-312-0x0000000000530000-0x0000000000556000-memory.dmp
memory/2892-318-0x0000000000540000-0x0000000000566000-memory.dmp
memory/2892-319-0x0000000000540000-0x0000000000566000-memory.dmp
memory/448-323-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1720-327-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2892-329-0x0000000000540000-0x0000000000566000-memory.dmp
memory/2892-326-0x0000000000540000-0x0000000000566000-memory.dmp
memory/2892-334-0x0000000000540000-0x0000000000566000-memory.dmp
memory/2880-333-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2624-335-0x0000000000530000-0x0000000000556000-memory.dmp
memory/2624-339-0x0000000000530000-0x0000000000556000-memory.dmp
memory/2168-338-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2892-341-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2168-342-0x00000000003D0000-0x00000000003F6000-memory.dmp
memory/2892-340-0x0000000000540000-0x0000000000566000-memory.dmp
memory/1368-348-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2892-347-0x0000000000540000-0x0000000000566000-memory.dmp
memory/1356-346-0x0000000000400000-0x0000000000426000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 03:35
Reported
2024-11-04 03:37
Platform
win10v2004-20241007-en
Max time kernel
8s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\ping.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Runs ping.exe
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe
"C:\Users\Admin\AppData\Local\Temp\ebdf7ecb3cb3e2b9dfc9fb4888212cc3d45cd18dfcf48f61d8fcc9235c715ffcN.exe"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8132 -ip 8132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 9984 -ip 9984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9984 -s 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8132 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.duniasex.com | udp |
| US | 8.8.8.8:53 | www.data0.net | udp |
| US | 8.8.8.8:53 | www.rasasayang.com.my | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.duniasex.com | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
Files
memory/4604-0-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
| MD5 | 009e3861702826b6d8588e066f6ca2fd |
| SHA1 | b66405fbce246a34232355092ae98e0926812334 |
| SHA256 | 99a193d6f03885a92c6bcaa6c5899d6a57c82aa458342bbd55cb8a0ba6d4588f |
| SHA512 | af838535dec2457ee67db716d68a612b7ae8dbf851005d5d7262694a6dd9ee730401964e22618a682e3e9fed287c78d7b3a4eeb78f80895b397cdd2b68af5b73 |
memory/2260-56-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL
| MD5 | 25f62c02619174b35851b0e0455b3d94 |
| SHA1 | 4e8ee85157f1769f6e3f61c0acbe59072209da71 |
| SHA256 | 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2 |
| SHA512 | f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a |
memory/5036-72-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2216-82-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4904-87-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3280-90-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2076-99-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3240-105-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4292-112-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4604-110-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2260-117-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2524-122-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2080-129-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1932-128-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1376-135-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3556-142-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3280-146-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1752-153-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4872-158-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1428-164-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1624-172-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1588-170-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2496-176-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2704-187-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2640-196-0x0000000000400000-0x0000000000426000-memory.dmp
memory/372-200-0x0000000000400000-0x0000000000426000-memory.dmp
memory/412-199-0x0000000000400000-0x0000000000426000-memory.dmp
memory/372-206-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2508-211-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4500-216-0x0000000000400000-0x0000000000426000-memory.dmp
memory/648-218-0x0000000000400000-0x0000000000426000-memory.dmp
memory/412-223-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3752-221-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4536-230-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1100-234-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1756-240-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1692-253-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3752-256-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2420-260-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2496-263-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4472-265-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4620-269-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3752-271-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1588-275-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4272-276-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4620-284-0x0000000000400000-0x0000000000426000-memory.dmp
memory/876-288-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2564-297-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1776-301-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3676-305-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2132-310-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4544-315-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3752-319-0x0000000000400000-0x0000000000426000-memory.dmp
memory/876-324-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1120-329-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3176-338-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1552-342-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1588-346-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2564-348-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4572-345-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3556-352-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1588-354-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3752-359-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5288-367-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5288-370-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5384-373-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5544-384-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5468-388-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4604-394-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5636-398-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5552-397-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4272-405-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5344-411-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6076-414-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4616-410-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2080-416-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3280-423-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6176-431-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4616-445-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5892-452-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6416-451-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6176-461-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6504-463-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6532-467-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6568-471-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6384-473-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6680-477-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6924-480-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7040-482-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6356-508-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6428-510-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6464-514-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7040-516-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5576-519-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1996-524-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6784-528-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7040-531-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7144-535-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7104-552-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2260-561-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6440-568-0x0000000000400000-0x0000000000426000-memory.dmp