b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46

Analysis

max time kernel
192s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
Size

105KB
MD5

6eb399013bf58679dcbfb3c184509213
SHA1

18bd15efa52dbb99c7a7e997e36667d87c0caa48
SHA256

b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46
SHA512

3f45bab85413b733ecba45617bdf392b6f6e0cf028f285fce8c28317069ee60fdbde39e345851fa3350c14dbcf4b92326b950aaaf52c49f205a3c989ffb12566
SSDEEP

1536:EyqrQrFUH+HtWXiaAkc//////4KCCai/iZ72rHp/pOiqms1zLaqOiQMaz/iE0f:SqOHjyAc//////jCCLi+Jz1GaqdZazjg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2856	cabinet.exe
4220	cabinet.exe
3448	cabinet.exe
1788	cabinet.exe
3880	cabinet.exe
608	cabinet.exe
5076	cabinet.exe
4588	cabinet.exe
5100	cabinet.exe
4292	cabinet.exe
3504	cabinet.exe
3628	cabinet.exe
784	cabinet.exe
3612	cabinet.exe
4180	cabinet.exe
4212	cabinet.exe
820	cabinet.exe
2784	cabinet.exe
1164	cabinet.exe
4332	cabinet.exe
5100	cabinet.exe
3500	cabinet.exe
4276	cabinet.exe
4152	cabinet.exe
4716	cabinet.exe
4100	cabinet.exe
4856	cabinet.exe
2652	cabinet.exe
3956	cabinet.exe
2264	cabinet.exe
2724	cabinet.exe
4852	cabinet.exe
3476	cabinet.exe
4460	cabinet.exe
4944	cabinet.exe
4740	cabinet.exe
2032	cabinet.exe
4176	cabinet.exe
4688	cabinet.exe
1812	cabinet.exe
1464	cabinet.exe
2164	cabinet.exe
1168	cabinet.exe
3064	cabinet.exe
1496	cabinet.exe
2836	cabinet.exe
3812	cabinet.exe
3208	cabinet.exe
964	cabinet.exe
3000	cabinet.exe
4896	cabinet.exe
2124	cabinet.exe
3688	cabinet.exe
5008	cabinet.exe
4872	cabinet.exe
2300	cabinet.exe
3612	cabinet.exe
3356	cabinet.exe
2644	cabinet.exe
4232	cabinet.exe
1840	cabinet.exe
4780	cabinet.exe
3468	cabinet.exe
1204	cabinet.exe

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\cabinet.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}	reg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File opened for modification	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\c_l8679.nls	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe
File created	C:\Windows\SysWOW64\cabinet.exe	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
File created	C:\Windows\SysWOW64\_Setup.bat	cabinet.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 3288	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	83

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
2856	cabinet.exe
2856	cabinet.exe
4220	cabinet.exe
4220	cabinet.exe
3448	cabinet.exe
3448	cabinet.exe
1788	cabinet.exe
1788	cabinet.exe
3880	cabinet.exe
3880	cabinet.exe
608	cabinet.exe
608	cabinet.exe
5076	cabinet.exe
5076	cabinet.exe
4588	cabinet.exe
4588	cabinet.exe
5100	cabinet.exe
5100	cabinet.exe
4292	cabinet.exe
4292	cabinet.exe
3504	cabinet.exe
3504	cabinet.exe
3628	cabinet.exe
3628	cabinet.exe
784	cabinet.exe
784	cabinet.exe
3612	cabinet.exe
3612	cabinet.exe
4180	cabinet.exe
4180	cabinet.exe
4212	cabinet.exe
4212	cabinet.exe
820	cabinet.exe
820	cabinet.exe
2784	cabinet.exe
2784	cabinet.exe
1164	cabinet.exe
1164	cabinet.exe
4332	cabinet.exe
4332	cabinet.exe
5100	cabinet.exe
5100	cabinet.exe
3500	cabinet.exe
3500	cabinet.exe
4276	cabinet.exe
4276	cabinet.exe
4152	cabinet.exe
4152	cabinet.exe
4716	cabinet.exe
4716	cabinet.exe
4100	cabinet.exe
4100	cabinet.exe
4856	cabinet.exe
4856	cabinet.exe
2652	cabinet.exe
2652	cabinet.exe
3956	cabinet.exe
3956	cabinet.exe
2264	cabinet.exe
2264	cabinet.exe
2724	cabinet.exe
2724	cabinet.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3288	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4204	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	82
PID 1280 wrote to memory of 4204	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	82
PID 1280 wrote to memory of 4204	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	82
PID 1280 wrote to memory of 3288	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	83
PID 1280 wrote to memory of 3288	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	83
PID 1280 wrote to memory of 3288	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	83
PID 1280 wrote to memory of 3288	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	83
PID 1280 wrote to memory of 3288	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	83
PID 4204 wrote to memory of 2264	4204	cmd.exe	86
PID 4204 wrote to memory of 2264	4204	cmd.exe	86
PID 4204 wrote to memory of 2264	4204	cmd.exe	86
PID 4204 wrote to memory of 3176	4204	cmd.exe	87
PID 4204 wrote to memory of 3176	4204	cmd.exe	87
PID 4204 wrote to memory of 3176	4204	cmd.exe	87
PID 1280 wrote to memory of 2856	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	88
PID 1280 wrote to memory of 2856	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	88
PID 1280 wrote to memory of 2856	1280	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	88
PID 2856 wrote to memory of 3492	2856	cabinet.exe	89
PID 2856 wrote to memory of 3492	2856	cabinet.exe	89
PID 2856 wrote to memory of 3492	2856	cabinet.exe	89
PID 2856 wrote to memory of 4220	2856	cabinet.exe	92
PID 2856 wrote to memory of 4220	2856	cabinet.exe	92
PID 2856 wrote to memory of 4220	2856	cabinet.exe	92
PID 4220 wrote to memory of 3512	4220	cabinet.exe	93
PID 4220 wrote to memory of 3512	4220	cabinet.exe	93
PID 4220 wrote to memory of 3512	4220	cabinet.exe	93
PID 3512 wrote to memory of 2540	3512	cmd.exe	95
PID 3512 wrote to memory of 2540	3512	cmd.exe	95
PID 3512 wrote to memory of 2540	3512	cmd.exe	95
PID 3512 wrote to memory of 3128	3512	cmd.exe	96
PID 3512 wrote to memory of 3128	3512	cmd.exe	96
PID 3512 wrote to memory of 3128	3512	cmd.exe	96
PID 4220 wrote to memory of 3448	4220	cabinet.exe	97
PID 4220 wrote to memory of 3448	4220	cabinet.exe	97
PID 4220 wrote to memory of 3448	4220	cabinet.exe	97
PID 3448 wrote to memory of 2428	3448	cabinet.exe	98
PID 3448 wrote to memory of 2428	3448	cabinet.exe	98
PID 3448 wrote to memory of 2428	3448	cabinet.exe	98
PID 2428 wrote to memory of 5064	2428	cmd.exe	100
PID 2428 wrote to memory of 5064	2428	cmd.exe	100
PID 2428 wrote to memory of 5064	2428	cmd.exe	100
PID 2428 wrote to memory of 4764	2428	cmd.exe	101
PID 2428 wrote to memory of 4764	2428	cmd.exe	101
PID 2428 wrote to memory of 4764	2428	cmd.exe	101
PID 3448 wrote to memory of 1788	3448	cabinet.exe	102
PID 3448 wrote to memory of 1788	3448	cabinet.exe	102
PID 3448 wrote to memory of 1788	3448	cabinet.exe	102
PID 1788 wrote to memory of 1796	1788	cabinet.exe	103
PID 1788 wrote to memory of 1796	1788	cabinet.exe	103
PID 1788 wrote to memory of 1796	1788	cabinet.exe	103
PID 1796 wrote to memory of 3792	1796	cmd.exe	105
PID 1796 wrote to memory of 3792	1796	cmd.exe	105
PID 1796 wrote to memory of 3792	1796	cmd.exe	105
PID 1796 wrote to memory of 4128	1796	cmd.exe	106
PID 1796 wrote to memory of 4128	1796	cmd.exe	106
PID 1796 wrote to memory of 4128	1796	cmd.exe	106
PID 1788 wrote to memory of 3880	1788	cabinet.exe	107
PID 1788 wrote to memory of 3880	1788	cabinet.exe	107
PID 1788 wrote to memory of 3880	1788	cabinet.exe	107
PID 3880 wrote to memory of 4260	3880	cabinet.exe	109
PID 3880 wrote to memory of 4260	3880	cabinet.exe	109
PID 3880 wrote to memory of 4260	3880	cabinet.exe	109
PID 4260 wrote to memory of 4716	4260	cmd.exe	110
PID 4260 wrote to memory of 4716	4260	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
"C:\Users\Admin\AppData\Local\Temp\b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
    3⤵
    - Modifies Installed Components in the registry
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
    3⤵
    PID:3176
- C:\Users\Admin\AppData\Local\Temp\b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
  C:\Users\Admin\AppData\Local\Temp\b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3288
- C:\Windows\SysWOW64\cabinet.exe
  C:\Windows\system32\cabinet.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\cabinet.exe
    C:\Windows\system32\cabinet.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        5⤵
        Modifies Installed Components in the registry
        
        PID:2540
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        5⤵
        
        PID:3128
  - - C:\Windows\SysWOW64\cabinet.exe
      C:\Windows\system32\cabinet.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        6⤵
        
        PID:5064
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        6⤵
        
        PID:4764
    - - C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        7⤵
        Modifies Installed Components in the registry
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        7⤵
        
        PID:4128
      - C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        8⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        8⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        8⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        9⤵
        Modifies Installed Components in the registry
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        9⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        9⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        10⤵
        Modifies Installed Components in the registry
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        10⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        10⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        11⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        11⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        11⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        12⤵
        Modifies Installed Components in the registry
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        12⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        12⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        13⤵
        Modifies Installed Components in the registry
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        13⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        13⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        14⤵
        Modifies Installed Components in the registry
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        14⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        14⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        15⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        15⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        15⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        16⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        16⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        16⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        17⤵
        Modifies Installed Components in the registry
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        17⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        17⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        18⤵
        Modifies Installed Components in the registry
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        18⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        18⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        19⤵
        Modifies Installed Components in the registry
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        19⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        19⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        20⤵
        Modifies Installed Components in the registry
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        20⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        20⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        21⤵
        Modifies Installed Components in the registry
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        21⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        21⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        22⤵
        Modifies Installed Components in the registry
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        22⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        22⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        23⤵
        Modifies Installed Components in the registry
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        23⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        23⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        24⤵
        Modifies Installed Components in the registry
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        24⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        24⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        25⤵
        Modifies Installed Components in the registry
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        25⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        25⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        26⤵
        Modifies Installed Components in the registry
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        26⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        26⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        27⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        27⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        27⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        28⤵
        Modifies Installed Components in the registry
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        28⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        28⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        29⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        29⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        29⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        30⤵
        Modifies Installed Components in the registry
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        30⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        30⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        31⤵
        Modifies Installed Components in the registry
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        31⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        31⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        32⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        32⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        32⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        33⤵
        Modifies Installed Components in the registry
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        33⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        33⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        34⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        34⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        34⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        35⤵
        Modifies Installed Components in the registry
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        35⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        35⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        36⤵
        Modifies Installed Components in the registry
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        36⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        36⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        37⤵
        Modifies Installed Components in the registry
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        37⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        37⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        38⤵
        Modifies Installed Components in the registry
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        38⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        38⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        39⤵
        Modifies Installed Components in the registry
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        39⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        39⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        40⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        40⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        40⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        41⤵
        Modifies Installed Components in the registry
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        41⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        41⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        42⤵
        Modifies Installed Components in the registry
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        42⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        42⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        43⤵
        Modifies Installed Components in the registry
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        43⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        43⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        44⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        44⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        44⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        45⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        45⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        45⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        46⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        46⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        46⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        47⤵
        Modifies Installed Components in the registry
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        47⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        47⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        48⤵
        Modifies Installed Components in the registry
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        48⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        48⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        49⤵
        Modifies Installed Components in the registry
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        49⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        49⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        50⤵
        Modifies Installed Components in the registry
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        50⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        50⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        51⤵
        Modifies Installed Components in the registry
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        51⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        51⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        52⤵
        Modifies Installed Components in the registry
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        52⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        52⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        53⤵
        Modifies Installed Components in the registry
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        53⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        53⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        54⤵
        Modifies Installed Components in the registry
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        54⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        53⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        54⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        55⤵
        Modifies Installed Components in the registry
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        55⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        55⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        56⤵
        Modifies Installed Components in the registry
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        56⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        56⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        57⤵
        Modifies Installed Components in the registry
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        57⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        57⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        58⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        58⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        58⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        59⤵
        Modifies Installed Components in the registry
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        59⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        59⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        60⤵
        Modifies Installed Components in the registry
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        60⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        60⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        61⤵
        Modifies Installed Components in the registry
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        61⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        61⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        62⤵
        Modifies Installed Components in the registry
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        62⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        62⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        63⤵
        Modifies Installed Components in the registry
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        63⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        63⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        64⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        64⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        63⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        64⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        65⤵
        Modifies Installed Components in the registry
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        65⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        65⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        66⤵
        Modifies Installed Components in the registry
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        66⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cabinet.exe
        
        C:\Windows\system32\cabinet.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        66⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\cabinet.exe /i" /f
        67⤵
        Modifies Installed Components in the registry
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{223V0554-IX41-5W7X-1M8T-3Y51415KHE66}" /f
        67⤵
        
        PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
353B

MD5
e40ff9e8c18658593ec546bc003884ab

SHA1
779610ac2b6f14a883aed53cd3abfd265370339d

SHA256
2705a2eb6f668147840240b7415c07ea2937b142ee91cd6451db8a9e29fb64d7

SHA512
6682d10fcb05fc06a270d48de54b10dbf7aa708f3e17d7ab95f3ee2170559b3cec7edd1bc6d18425b92b7982151251aa9a6e4f7827df3fc497d63947866d5322

Download Submit
C:\Windows\SysWOW64\c_l8679.nls

Filesize
1KB

MD5
04e5947ae9437206f81eb6f320b8af79

SHA1
25396526a90cf100f558695b7492b926b589c53c

SHA256
2584b8bb8040eccd8324bac8b341eca79a6b950549759a49007680d4bd20b583

SHA512
caae148c4b7b5602d9a0247cac90215c5b5aad8339c6251941403cb872c3b56adfc6f38846e60b4b1c899ee4e932f1040042a6569440282a2017739b59158e97

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\cabinet.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
memory/3288-134-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3288-148-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3288-136-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download