Malware Analysis Report

2025-06-16 06:56

Sample ID 241104-fb9pessrfx
Target ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926
SHA256 ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926
Tags
discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926

Threat Level: Known bad

The file ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

UAC bypass

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Disables use of System Restore points

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 04:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 04:43

Reported

2024-11-04 04:45

Platform

win7-20240903-en

Max time kernel

20s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 3068 wrote to memory of 792 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 3068 wrote to memory of 792 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 3068 wrote to memory of 792 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 3068 wrote to memory of 792 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 3068 wrote to memory of 624 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 3068 wrote to memory of 624 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 3068 wrote to memory of 624 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 3068 wrote to memory of 624 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 624 wrote to memory of 3056 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 624 wrote to memory of 3056 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 624 wrote to memory of 3056 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 624 wrote to memory of 3056 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 624 wrote to memory of 2144 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 624 wrote to memory of 2144 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 624 wrote to memory of 2144 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 624 wrote to memory of 2144 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 624 wrote to memory of 2888 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 624 wrote to memory of 2888 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 624 wrote to memory of 2888 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 624 wrote to memory of 2888 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 2888 wrote to memory of 1252 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2888 wrote to memory of 1252 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2888 wrote to memory of 1252 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2888 wrote to memory of 1252 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2888 wrote to memory of 2276 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 2888 wrote to memory of 2276 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 2888 wrote to memory of 2276 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 2888 wrote to memory of 2276 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 2888 wrote to memory of 2832 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 2888 wrote to memory of 2832 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 2888 wrote to memory of 2832 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 2888 wrote to memory of 2832 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 2888 wrote to memory of 2436 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 2888 wrote to memory of 2436 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 2888 wrote to memory of 2436 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 2888 wrote to memory of 2436 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 2436 wrote to memory of 1704 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2436 wrote to memory of 1704 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2436 wrote to memory of 1704 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2436 wrote to memory of 1704 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 2436 wrote to memory of 2292 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 2436 wrote to memory of 2292 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 2436 wrote to memory of 2292 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 2436 wrote to memory of 2292 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 2436 wrote to memory of 2396 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 2436 wrote to memory of 2396 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 2436 wrote to memory of 2396 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 2436 wrote to memory of 2396 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 2436 wrote to memory of 1864 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 2436 wrote to memory of 1864 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 2436 wrote to memory of 1864 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 2436 wrote to memory of 1864 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 2436 wrote to memory of 768 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 2436 wrote to memory of 768 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 2436 wrote to memory of 768 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 2436 wrote to memory of 768 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 768 wrote to memory of 1420 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 768 wrote to memory of 1420 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 768 wrote to memory of 1420 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 768 wrote to memory of 1420 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe

"C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1216005302-658175720-131130654565700056481625382220288938181320655239-884498551"

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "421992051490440643-1794323164-326163830-842654299-1626718916-1846925521242363997"

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1987283816451169369-1185760342-1203092750-149081827211612313161704905478-522178074"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "748853138232453350-11212181311926319523-26757907-1829407793897664030736713764"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2072924966930573112-997312276-114159346-1101003567-1945645594-516370126-24122201"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9438571-139514298713127094941418466364-736554391568433073122771574930031772"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1159478351-294084014145286506415342025727624522415276602941047928122-293428546"

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "833804034-1835202251-556717819262236084416674389-14164120291585723086-2090194374"

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2921833191518153876-1397858974-13828232761226117590-5268052116766291511375708480"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "828939767902603920-15993072981791782570-1889135589-1837040685-961910568-1442860997"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1921118048122941313517484045101647766466-2026865443-3326255752138490612-795621430"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "125834794-2086827008-1415580861169430768519865781975761713185048925623510597"

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-730629094-19506369011361701616466336054-15163688711868231254-7647748421462671462"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-158254199510421335544869507591338814765-1073674445-1275401339274339641879935215"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.duniasex.com udp
US 8.8.8.8:53 www.data0.net udp
US 8.8.8.8:53 www.rasasayang.com.my udp

Files

memory/2728-0-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

MD5 f55af2b3ba021a7e895992a7e3088f66
SHA1 847fa3752995497a7bc9552e0e2d9f96fbfc5821
SHA256 1429fdc8d623b678788de5fa5bda3af1473af0948812fa543083a07c8a90e700
SHA512 ef412695e89b9bde80d0d453ac0edbb4c20db7c195f185bbe187b258c4d037c065e98c070da67554f5603e02092f3cee110c19032fce4a934d2a2de914f8e09b

memory/2728-60-0x0000000000300000-0x0000000000326000-memory.dmp

memory/2728-59-0x0000000000300000-0x0000000000326000-memory.dmp

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/3068-73-0x0000000000290000-0x00000000002B6000-memory.dmp

memory/792-78-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3068-77-0x0000000000290000-0x00000000002B6000-memory.dmp

memory/792-82-0x0000000000400000-0x0000000000426000-memory.dmp

memory/624-87-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2728-93-0x0000000000300000-0x0000000000326000-memory.dmp

memory/2728-92-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2728-101-0x0000000000300000-0x0000000000326000-memory.dmp

memory/3056-100-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3068-106-0x0000000000290000-0x00000000002B6000-memory.dmp

memory/624-104-0x0000000000290000-0x00000000002B6000-memory.dmp

memory/3068-103-0x0000000000400000-0x0000000000426000-memory.dmp

memory/624-116-0x0000000000290000-0x00000000002B6000-memory.dmp

memory/624-115-0x0000000000290000-0x00000000002B6000-memory.dmp

memory/2144-112-0x0000000000400000-0x0000000000426000-memory.dmp

memory/624-123-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2888-126-0x0000000000320000-0x0000000000346000-memory.dmp

memory/2888-124-0x0000000000320000-0x0000000000346000-memory.dmp

memory/1252-134-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2276-142-0x0000000000400000-0x0000000000426000-memory.dmp

memory/624-144-0x0000000000290000-0x00000000002B6000-memory.dmp

memory/2888-143-0x0000000000320000-0x0000000000346000-memory.dmp

memory/2832-148-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2888-153-0x0000000000400000-0x0000000000426000-memory.dmp

memory/624-151-0x0000000000290000-0x00000000002B6000-memory.dmp

memory/2436-159-0x0000000000370000-0x0000000000396000-memory.dmp

memory/1704-166-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2436-178-0x0000000000370000-0x0000000000396000-memory.dmp

memory/2292-175-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2396-187-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2436-183-0x0000000000370000-0x0000000000396000-memory.dmp

memory/2436-188-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1864-192-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2436-194-0x0000000000370000-0x0000000000396000-memory.dmp

memory/768-195-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1420-200-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1800-204-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2436-205-0x0000000000370000-0x0000000000396000-memory.dmp

memory/2176-209-0x0000000000400000-0x0000000000426000-memory.dmp

memory/768-212-0x0000000000310000-0x0000000000336000-memory.dmp

memory/768-213-0x0000000000400000-0x0000000000426000-memory.dmp

memory/768-211-0x0000000000310000-0x0000000000336000-memory.dmp

memory/2436-210-0x0000000000370000-0x0000000000396000-memory.dmp

memory/676-217-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2164-221-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3040-224-0x00000000005E0000-0x0000000000606000-memory.dmp

memory/1644-228-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1316-232-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3040-235-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2196-237-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1480-241-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1220-245-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1660-248-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3040-249-0x0000000000400000-0x0000000000426000-memory.dmp

memory/768-251-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2676-258-0x00000000004B0000-0x00000000004D6000-memory.dmp

memory/2692-257-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2676-261-0x00000000004B0000-0x00000000004D6000-memory.dmp

memory/2696-264-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2676-266-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2528-268-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2652-272-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3064-278-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1536-279-0x00000000023D0000-0x00000000023F6000-memory.dmp

memory/1588-283-0x0000000000400000-0x0000000000426000-memory.dmp

memory/596-287-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1536-286-0x00000000023D0000-0x00000000023F6000-memory.dmp

memory/1536-289-0x0000000000400000-0x0000000000426000-memory.dmp

memory/808-294-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1536-292-0x00000000023D0000-0x00000000023F6000-memory.dmp

memory/1424-298-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1536-304-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2304-306-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2676-308-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2888-309-0x0000000000320000-0x0000000000346000-memory.dmp

memory/2436-311-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2988-314-0x0000000000340000-0x0000000000366000-memory.dmp

memory/1620-315-0x0000000000400000-0x0000000000426000-memory.dmp

memory/676-320-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1620-319-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2988-323-0x0000000000340000-0x0000000000366000-memory.dmp

memory/1324-330-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2888-327-0x0000000000320000-0x0000000000346000-memory.dmp

memory/2988-332-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1296-336-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1296-340-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1316-344-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1316-345-0x00000000005C0000-0x00000000005E6000-memory.dmp

memory/2360-349-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2012-353-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2188-356-0x0000000000300000-0x0000000000326000-memory.dmp

memory/2656-361-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2188-359-0x0000000000300000-0x0000000000326000-memory.dmp

memory/2188-366-0x0000000000300000-0x0000000000326000-memory.dmp

memory/1316-367-0x00000000005C0000-0x00000000005E6000-memory.dmp

memory/2556-365-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2188-370-0x0000000000300000-0x0000000000326000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 04:43

Reported

2024-11-04 04:46

Platform

win10v2004-20241007-en

Max time kernel

16s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 1340 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 1340 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 1764 wrote to memory of 548 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 1764 wrote to memory of 548 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 1764 wrote to memory of 548 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 1764 wrote to memory of 3896 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 1764 wrote to memory of 3896 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 1764 wrote to memory of 3896 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 3896 wrote to memory of 3888 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 3896 wrote to memory of 3888 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 3896 wrote to memory of 3888 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 3896 wrote to memory of 1260 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\System32\Conhost.exe
PID 3896 wrote to memory of 1260 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\System32\Conhost.exe
PID 3896 wrote to memory of 1260 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\System32\Conhost.exe
PID 3896 wrote to memory of 4872 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 3896 wrote to memory of 4872 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 3896 wrote to memory of 4872 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 4872 wrote to memory of 4576 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 4872 wrote to memory of 4576 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 4872 wrote to memory of 4576 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 4872 wrote to memory of 5008 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 4872 wrote to memory of 5008 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 4872 wrote to memory of 5008 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 4872 wrote to memory of 3320 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 4872 wrote to memory of 3320 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 4872 wrote to memory of 3320 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 4872 wrote to memory of 1976 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 4872 wrote to memory of 1976 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 4872 wrote to memory of 1976 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 1976 wrote to memory of 1528 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 1976 wrote to memory of 1528 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 1976 wrote to memory of 1528 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 1976 wrote to memory of 1876 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\System32\Conhost.exe
PID 1976 wrote to memory of 1876 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\System32\Conhost.exe
PID 1976 wrote to memory of 1876 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\System32\Conhost.exe
PID 1976 wrote to memory of 3164 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 1976 wrote to memory of 3164 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 1976 wrote to memory of 3164 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 1976 wrote to memory of 212 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 1976 wrote to memory of 212 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 1976 wrote to memory of 212 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 1976 wrote to memory of 4904 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1976 wrote to memory of 4904 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1976 wrote to memory of 4904 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 4904 wrote to memory of 5100 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 4904 wrote to memory of 5100 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 4904 wrote to memory of 5100 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 4904 wrote to memory of 3492 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 4904 wrote to memory of 3492 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 4904 wrote to memory of 3492 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
PID 4904 wrote to memory of 60 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 4904 wrote to memory of 60 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 4904 wrote to memory of 60 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
PID 4904 wrote to memory of 5052 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 4904 wrote to memory of 5052 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 4904 wrote to memory of 5052 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
PID 4904 wrote to memory of 3740 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 4904 wrote to memory of 3740 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 4904 wrote to memory of 3740 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
PID 4904 wrote to memory of 4368 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 4904 wrote to memory of 4368 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 4904 wrote to memory of 4368 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 4368 wrote to memory of 804 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe

"C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen

C:\Windows\SysWOW64\ping.exe

ping www.duniasex.com -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.data0.net -n 65500 -l 1340

C:\Windows\SysWOW64\ping.exe

ping www.rasasayang.com.my -n 65500 -l 1340

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.data0.net udp
US 8.8.8.8:53 www.duniasex.com udp
US 8.8.8.8:53 www.rasasayang.com.my udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/1340-0-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

MD5 a852e8f5825ce4e5ccec5193935c15ec
SHA1 97b976f4fe8ac3cc7dd9c15c5bda3c4087dc748b
SHA256 84c8856bbe0cbecceaa75bc3b4c37f244dcb0fe000cea875664c6e47d0785c05
SHA512 a2c8897c4bf1eae2d06ce7f598ec0a964516347c07bddbba45a529cbeed011361abd43ac543ac5e3cbf8eed4a4493e9415f9c386e61213c559cc3d8b4e91eb14

memory/1764-55-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/548-68-0x0000000000400000-0x0000000000426000-memory.dmp

memory/548-74-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3888-84-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1260-87-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1340-90-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4576-98-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5008-105-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1528-116-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1764-114-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1528-121-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1876-129-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3896-128-0x0000000000400000-0x0000000000426000-memory.dmp

memory/212-141-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4872-144-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5100-151-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3492-157-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1976-167-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5052-170-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3740-176-0x0000000000400000-0x0000000000426000-memory.dmp

memory/804-186-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4996-192-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4904-196-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4660-207-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2696-203-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2696-211-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1968-214-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4368-216-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4904-221-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3328-236-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1652-247-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4796-253-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2224-258-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4660-272-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3740-276-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2240-280-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3440-285-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3640-300-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4376-308-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2232-310-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3896-322-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1764-324-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4872-326-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4956-320-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1652-318-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4796-316-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1976-328-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3740-331-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4376-303-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1440-298-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5420-336-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4368-289-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3616-278-0x0000000000400000-0x0000000000426000-memory.dmp

memory/468-356-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5420-359-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5652-365-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5492-372-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5948-379-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5720-383-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2348-388-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6032-395-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1344-394-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4448-399-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6112-403-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5688-405-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5188-409-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5328-412-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2508-417-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6436-438-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6468-442-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6500-446-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5328-445-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6500-450-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6620-455-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6712-459-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1340-463-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5328-461-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6968-467-0x0000000000400000-0x0000000000426000-memory.dmp

memory/5188-471-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6364-476-0x0000000000400000-0x0000000000426000-memory.dmp

memory/768-508-0x0000000000400000-0x0000000000426000-memory.dmp

memory/7048-511-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4400-517-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6088-513-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6788-519-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6584-521-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6652-530-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4564-527-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6668-537-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6500-550-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6268-547-0x0000000000400000-0x0000000000426000-memory.dmp

memory/6364-503-0x0000000000400000-0x0000000000426000-memory.dmp

memory/468-556-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4564-565-0x0000000000400000-0x0000000000426000-memory.dmp

memory/7856-571-0x0000000000400000-0x0000000000426000-memory.dmp

memory/7804-573-0x0000000000400000-0x0000000000426000-memory.dmp

memory/7976-580-0x0000000000400000-0x0000000000426000-memory.dmp

memory/7288-583-0x0000000000400000-0x0000000000426000-memory.dmp