Analysis Overview
SHA256
ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926
Threat Level: Known bad
The file ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Event Triggered Execution: Image File Execution Options Injection
Disables RegEdit via registry modification
Disables use of System Restore points
Loads dropped DLL
Modifies system executable filetype association
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
System policy modification
Modifies registry class
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-04 04:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 04:43
Reported
2024-11-04 04:45
Platform
win7-20240903-en
Max time kernel
20s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe
"C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1216005302-658175720-131130654565700056481625382220288938181320655239-884498551"
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "421992051490440643-1794323164-326163830-842654299-1626718916-1846925521242363997"
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1987283816451169369-1185760342-1203092750-149081827211612313161704905478-522178074"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "748853138232453350-11212181311926319523-26757907-1829407793897664030736713764"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2072924966930573112-997312276-114159346-1101003567-1945645594-516370126-24122201"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9438571-139514298713127094941418466364-736554391568433073122771574930031772"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1159478351-294084014145286506415342025727624522415276602941047928122-293428546"
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "833804034-1835202251-556717819262236084416674389-14164120291585723086-2090194374"
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2921833191518153876-1397858974-13828232761226117590-5268052116766291511375708480"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "828939767902603920-15993072981791782570-1889135589-1837040685-961910568-1442860997"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1921118048122941313517484045101647766466-2026865443-3326255752138490612-795621430"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "125834794-2086827008-1415580861169430768519865781975761713185048925623510597"
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-730629094-19506369011361701616466336054-15163688711868231254-7647748421462671462"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-158254199510421335544869507591338814765-1073674445-1275401339274339641879935215"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.duniasex.com | udp |
| US | 8.8.8.8:53 | www.data0.net | udp |
| US | 8.8.8.8:53 | www.rasasayang.com.my | udp |
Files
memory/2728-0-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
| MD5 | f55af2b3ba021a7e895992a7e3088f66 |
| SHA1 | 847fa3752995497a7bc9552e0e2d9f96fbfc5821 |
| SHA256 | 1429fdc8d623b678788de5fa5bda3af1473af0948812fa543083a07c8a90e700 |
| SHA512 | ef412695e89b9bde80d0d453ac0edbb4c20db7c195f185bbe187b258c4d037c065e98c070da67554f5603e02092f3cee110c19032fce4a934d2a2de914f8e09b |
memory/2728-60-0x0000000000300000-0x0000000000326000-memory.dmp
memory/2728-59-0x0000000000300000-0x0000000000326000-memory.dmp
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL
| MD5 | 5343a19c618bc515ceb1695586c6c137 |
| SHA1 | 4dedae8cbde066f31c8e6b52c0baa3f8b1117742 |
| SHA256 | 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce |
| SHA512 | 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606 |
memory/3068-73-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/792-78-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3068-77-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/792-82-0x0000000000400000-0x0000000000426000-memory.dmp
memory/624-87-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2728-93-0x0000000000300000-0x0000000000326000-memory.dmp
memory/2728-92-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2728-101-0x0000000000300000-0x0000000000326000-memory.dmp
memory/3056-100-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3068-106-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/624-104-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/3068-103-0x0000000000400000-0x0000000000426000-memory.dmp
memory/624-116-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/624-115-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/2144-112-0x0000000000400000-0x0000000000426000-memory.dmp
memory/624-123-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2888-126-0x0000000000320000-0x0000000000346000-memory.dmp
memory/2888-124-0x0000000000320000-0x0000000000346000-memory.dmp
memory/1252-134-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2276-142-0x0000000000400000-0x0000000000426000-memory.dmp
memory/624-144-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/2888-143-0x0000000000320000-0x0000000000346000-memory.dmp
memory/2832-148-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2888-153-0x0000000000400000-0x0000000000426000-memory.dmp
memory/624-151-0x0000000000290000-0x00000000002B6000-memory.dmp
memory/2436-159-0x0000000000370000-0x0000000000396000-memory.dmp
memory/1704-166-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2436-178-0x0000000000370000-0x0000000000396000-memory.dmp
memory/2292-175-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2396-187-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2436-183-0x0000000000370000-0x0000000000396000-memory.dmp
memory/2436-188-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1864-192-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2436-194-0x0000000000370000-0x0000000000396000-memory.dmp
memory/768-195-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1420-200-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1800-204-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2436-205-0x0000000000370000-0x0000000000396000-memory.dmp
memory/2176-209-0x0000000000400000-0x0000000000426000-memory.dmp
memory/768-212-0x0000000000310000-0x0000000000336000-memory.dmp
memory/768-213-0x0000000000400000-0x0000000000426000-memory.dmp
memory/768-211-0x0000000000310000-0x0000000000336000-memory.dmp
memory/2436-210-0x0000000000370000-0x0000000000396000-memory.dmp
memory/676-217-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2164-221-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3040-224-0x00000000005E0000-0x0000000000606000-memory.dmp
memory/1644-228-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1316-232-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3040-235-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2196-237-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1480-241-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1220-245-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1660-248-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3040-249-0x0000000000400000-0x0000000000426000-memory.dmp
memory/768-251-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2676-258-0x00000000004B0000-0x00000000004D6000-memory.dmp
memory/2692-257-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2676-261-0x00000000004B0000-0x00000000004D6000-memory.dmp
memory/2696-264-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2676-266-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2528-268-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2652-272-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3064-278-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1536-279-0x00000000023D0000-0x00000000023F6000-memory.dmp
memory/1588-283-0x0000000000400000-0x0000000000426000-memory.dmp
memory/596-287-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1536-286-0x00000000023D0000-0x00000000023F6000-memory.dmp
memory/1536-289-0x0000000000400000-0x0000000000426000-memory.dmp
memory/808-294-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1536-292-0x00000000023D0000-0x00000000023F6000-memory.dmp
memory/1424-298-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1536-304-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2304-306-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2676-308-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2888-309-0x0000000000320000-0x0000000000346000-memory.dmp
memory/2436-311-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2988-314-0x0000000000340000-0x0000000000366000-memory.dmp
memory/1620-315-0x0000000000400000-0x0000000000426000-memory.dmp
memory/676-320-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1620-319-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2988-323-0x0000000000340000-0x0000000000366000-memory.dmp
memory/1324-330-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2888-327-0x0000000000320000-0x0000000000346000-memory.dmp
memory/2988-332-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1296-336-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1296-340-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1316-344-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1316-345-0x00000000005C0000-0x00000000005E6000-memory.dmp
memory/2360-349-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2012-353-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2188-356-0x0000000000300000-0x0000000000326000-memory.dmp
memory/2656-361-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2188-359-0x0000000000300000-0x0000000000326000-memory.dmp
memory/2188-366-0x0000000000300000-0x0000000000326000-memory.dmp
memory/1316-367-0x00000000005C0000-0x00000000005E6000-memory.dmp
memory/2556-365-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2188-370-0x0000000000300000-0x0000000000326000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 04:43
Reported
2024-11-04 04:46
Platform
win10v2004-20241007-en
Max time kernel
16s
Max time network
158s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (Anbu*Team*Sampit), Is this My places, Wanna start a War ++++" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe
"C:\Users\Admin\AppData\Local\Temp\ca1ee57569f9477da818853b62753f2c47248be909abebe24f1c90acbd2ca926.exe"
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.data0.net | udp |
| US | 8.8.8.8:53 | www.duniasex.com | udp |
| US | 8.8.8.8:53 | www.rasasayang.com.my | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
memory/1340-0-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
| MD5 | a852e8f5825ce4e5ccec5193935c15ec |
| SHA1 | 97b976f4fe8ac3cc7dd9c15c5bda3c4087dc748b |
| SHA256 | 84c8856bbe0cbecceaa75bc3b4c37f244dcb0fe000cea875664c6e47d0785c05 |
| SHA512 | a2c8897c4bf1eae2d06ce7f598ec0a964516347c07bddbba45a529cbeed011361abd43ac543ac5e3cbf8eed4a4493e9415f9c386e61213c559cc3d8b4e91eb14 |
memory/1764-55-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL
| MD5 | 25f62c02619174b35851b0e0455b3d94 |
| SHA1 | 4e8ee85157f1769f6e3f61c0acbe59072209da71 |
| SHA256 | 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2 |
| SHA512 | f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a |
memory/548-68-0x0000000000400000-0x0000000000426000-memory.dmp
memory/548-74-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3888-84-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1260-87-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1340-90-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4576-98-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5008-105-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1528-116-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1764-114-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1528-121-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1876-129-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3896-128-0x0000000000400000-0x0000000000426000-memory.dmp
memory/212-141-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4872-144-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5100-151-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3492-157-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1976-167-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5052-170-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3740-176-0x0000000000400000-0x0000000000426000-memory.dmp
memory/804-186-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4996-192-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4904-196-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4660-207-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2696-203-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2696-211-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1968-214-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4368-216-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4904-221-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3328-236-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1652-247-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4796-253-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2224-258-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4660-272-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3740-276-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2240-280-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3440-285-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3640-300-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4376-308-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2232-310-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3896-322-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1764-324-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4872-326-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4956-320-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1652-318-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4796-316-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1976-328-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3740-331-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4376-303-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1440-298-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5420-336-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4368-289-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3616-278-0x0000000000400000-0x0000000000426000-memory.dmp
memory/468-356-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5420-359-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5652-365-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5492-372-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5948-379-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5720-383-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2348-388-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6032-395-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1344-394-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4448-399-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6112-403-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5688-405-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5188-409-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5328-412-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2508-417-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6436-438-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6468-442-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6500-446-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5328-445-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6500-450-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6620-455-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6712-459-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1340-463-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5328-461-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6968-467-0x0000000000400000-0x0000000000426000-memory.dmp
memory/5188-471-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6364-476-0x0000000000400000-0x0000000000426000-memory.dmp
memory/768-508-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7048-511-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4400-517-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6088-513-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6788-519-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6584-521-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6652-530-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4564-527-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6668-537-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6500-550-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6268-547-0x0000000000400000-0x0000000000426000-memory.dmp
memory/6364-503-0x0000000000400000-0x0000000000426000-memory.dmp
memory/468-556-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4564-565-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7856-571-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7804-573-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7976-580-0x0000000000400000-0x0000000000426000-memory.dmp
memory/7288-583-0x0000000000400000-0x0000000000426000-memory.dmp