lumma | f007989340d051c2715bedb1bd5d4736cd90dde2453591e4614c3787dae9b126

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 06:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ade99c01a1e92f6dc5c4a4bfec9649e3.exe
Size

98KB
MD5

ade99c01a1e92f6dc5c4a4bfec9649e3
SHA1

21a66edc54dcb6ec86007a7a696eb08b98ab36f6
SHA256

f007989340d051c2715bedb1bd5d4736cd90dde2453591e4614c3787dae9b126
SHA512

d86653c1c2a0b93648e379ee793c830db237385d9cee8718d2eb87a3aa46a5594d18029d54026f8dea02e24be31b87dc19eb2d9d4e786dfefe07998324df87e7
SSDEEP

1536:s2XG4+6SPT8X1Yy6GR+R4n35HaAEWpeUPawcYRgtmz3OENtlesuR3Up3/R:s+G4sPoX1HRZ3NE4e8awP+tmSIc36/R

Score

10^/10

lumma evasion stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 64 IoCs

resource	yara_rule
behavioral1/memory/2860-235-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1756-240-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1492-249-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2860-251-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1836-261-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1492-264-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1836-276-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1404-290-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2120-312-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/976-419-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2392-434-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2120-546-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1728-561-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2392-675-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1728-687-0x00000000027C0000-0x000000000284A000-memory.dmp	family_lumma_v4
behavioral1/memory/1820-693-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1728-803-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2044-812-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1820-926-0x0000000002750000-0x00000000027DA000-memory.dmp	family_lumma_v4
behavioral1/memory/1820-931-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2404-947-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2404-1068-0x00000000025D0000-0x000000000265A000-memory.dmp	family_lumma_v4
behavioral1/memory/2404-1075-0x00000000025D0000-0x000000000265A000-memory.dmp	family_lumma_v4
behavioral1/memory/2476-1136-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2044-1056-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2404-1185-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2328-1202-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2476-1193-0x00000000004D0000-0x000000000055A000-memory.dmp	family_lumma_v4
behavioral1/memory/2476-1309-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1640-1318-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2328-1432-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1640-1555-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1032-1677-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1620-1690-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1112-1692-0x00000000024A0000-0x000000000252A000-memory.dmp	family_lumma_v4
behavioral1/memory/1112-1801-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1620-1923-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/580-2045-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2412-2052-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2016-2167-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2412-2172-0x00000000006D0000-0x000000000075A000-memory.dmp	family_lumma_v4
behavioral1/memory/1784-2179-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2412-2287-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1784-2410-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2516-2423-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2684-2534-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2656-2654-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2516-2655-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2656-2669-0x00000000025F0000-0x000000000267A000-memory.dmp	family_lumma_v4
behavioral1/memory/1648-2670-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2656-2777-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1648-2898-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1804-3020-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1852-3142-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1944-3264-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2116-3383-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2704-3396-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1240-3505-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2704-3623-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2836-3630-0x00000000028B0000-0x000000000293A000-memory.dmp	family_lumma_v4
behavioral1/memory/1268-3632-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2836-3745-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/1268-3868-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral1/memory/2768-3990-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	hisijn.com
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 64 IoCs

pid	Process
2860	juuezf.com
1492	bikjjg.com
1836	ognesg.com
1404	yjcofk.com
976	lhxros.com
2120	yystes.com
2392	lovwna.com
1728	siubcu.com
1820	hbqwlq.com
2044	uslzuq.com
2404	hiobdy.com
2476	rpszvx.com
2328	bshjia.com
1640	ofzzoe.com
1032	ypojjz.com
1112	lcgzpd.com
1620	vqhwfk.com
580	ihbros.com
2016	vulpuo.com
2412	feizpr.com
1784	phyccu.com
2684	cuhziy.com
2516	ptkcqg.com
2656	zvzmmb.com
1648	jgppzf.com
1804	wwkshn.com
1852	jjbpnr.com
1944	tqfnyp.com
2116	dtdxts.com
1240	qrxabt.com
2704	auncpw.com
2836	mwtsai.com
1268	zjkige.com
2768	jmasbh.com
1312	woginu.com
1812	jbpxsy.com
2280	lacvdw.com
3056	ycikwb.com
1884	lscnfj.com
596	vdsxsm.com
2956	iqjnyq.com
588	sazyll.com
572	frcact.com
2316	shwdkb.com
2500	bvxsaj.com
600	lvbqli.com
2676	ytesti.com
960	lvkinu.com
2924	ymflvu.com
2492	lzoaby.com
2796	vjmlob.com
2604	iahoxk.com
352	scwysn.com
2644	fbrbbn.com
904	pdoloq.com
1920	ccjoxy.com
3064	ppadcc.com
1636	ydtbab.com
776	lqlrgf.com
1792	ygftpn.com
2060	jnsrzm.com
1488	vhyylr.com
2432	fsnjgu.com
328	sjiloc.com

Loads dropped DLL 64 IoCs

pid	Process
1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe
1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe
2860	juuezf.com
2860	juuezf.com
1492	bikjjg.com
1492	bikjjg.com
1836	ognesg.com
1836	ognesg.com
1404	yjcofk.com
1404	yjcofk.com
976	lhxros.com
976	lhxros.com
2120	yystes.com
2120	yystes.com
2392	lovwna.com
2392	lovwna.com
1728	siubcu.com
1728	siubcu.com
1820	hbqwlq.com
1820	hbqwlq.com
2044	uslzuq.com
2044	uslzuq.com
2404	hiobdy.com
2404	hiobdy.com
2476	rpszvx.com
2476	rpszvx.com
2328	bshjia.com
2328	bshjia.com
1640	ofzzoe.com
1640	ofzzoe.com
1032	ypojjz.com
1032	ypojjz.com
1112	lcgzpd.com
1112	lcgzpd.com
1620	vqhwfk.com
1620	vqhwfk.com
580	ihbros.com
580	ihbros.com
2016	vulpuo.com
2016	vulpuo.com
2412	feizpr.com
2412	feizpr.com
1784	phyccu.com
1784	phyccu.com
2684	cuhziy.com
2684	cuhziy.com
2516	ptkcqg.com
2516	ptkcqg.com
2656	zvzmmb.com
2656	zvzmmb.com
1648	jgppzf.com
1648	jgppzf.com
1804	wwkshn.com
1804	wwkshn.com
1852	jjbpnr.com
1852	jjbpnr.com
1944	tqfnyp.com
1944	tqfnyp.com
2116	dtdxts.com
2116	dtdxts.com
1240	qrxabt.com
1240	qrxabt.com
2704	auncpw.com
2704	auncpw.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\enpobc.com	ofdgvl.com
File created	C:\Windows\SysWOW64\jbaedj.com	wkfcuj.com
File created	\??\c:\windows\SysWOW64\sm1.bat	zebatn.com
File opened for modification	C:\Windows\SysWOW64\ztyfkv.com	muddbv.com
File created	\??\c:\windows\SysWOW64\sm1.bat	ihzdid.com
File created	C:\Windows\SysWOW64\yyhdoo.com	linafg.com
File created	C:\Windows\SysWOW64\ftefwh.com	Process not Found
File created	\??\c:\windows\SysWOW64\sm1.bat	Process not Found
File created	C:\Windows\SysWOW64\fpskja.com	Process not Found
File opened for modification	C:\Windows\SysWOW64\woginu.com	jmasbh.com
File opened for modification	C:\Windows\SysWOW64\pxmyqe.com	drcwun.com
File created	\??\c:\windows\SysWOW64\sm1.bat	mdeiew.com
File created	C:\Windows\SysWOW64\cuhziy.com	phyccu.com
File created	C:\Windows\SysWOW64\jbpxsy.com	woginu.com
File opened for modification	C:\Windows\SysWOW64\icjknu.com	ydfnvw.com
File created	\??\c:\windows\SysWOW64\sm1.bat	umfwhf.com
File created	C:\Windows\SysWOW64\fauxfp.com	vyfmsm.com
File opened for modification	C:\Windows\SysWOW64\memscq.com	zojpti.com
File opened for modification	C:\Windows\SysWOW64\qnpqev.com	olafjs.com
File opened for modification	C:\Windows\SysWOW64\yidtac.com	Process not Found
File opened for modification	C:\Windows\SysWOW64\yrxyir.com	Process not Found
File opened for modification	C:\Windows\SysWOW64\lhxros.com	yjcofk.com
File opened for modification	C:\Windows\SysWOW64\ajjsft.com	ohdcto.com
File created	\??\c:\windows\SysWOW64\sm1.bat	zojpti.com
File created	C:\Windows\SysWOW64\ocmfyw.com	esxvlt.com
File opened for modification	C:\Windows\SysWOW64\mclueq.com	czwkrn.com
File created	\??\c:\windows\SysWOW64\sm1.bat	xkjdld.com
File created	\??\c:\windows\SysWOW64\sm1.bat	Process not Found
File created	C:\Windows\SysWOW64\auncpw.com	qrxabt.com
File created	\??\c:\windows\SysWOW64\sm1.bat	uiklrh.com
File opened for modification	C:\Windows\SysWOW64\zffxzp.com	ndzink.com
File opened for modification	C:\Windows\SysWOW64\dmksnv.com	qnpqev.com
File opened for modification	C:\Windows\SysWOW64\scqdba.com	idmfqb.com
File opened for modification	C:\Windows\SysWOW64\paouxu.com	Process not Found
File created	C:\Windows\SysWOW64\hbqwlq.com	siubcu.com
File created	\??\c:\windows\SysWOW64\sm1.bat	zendjo.com
File created	\??\c:\windows\SysWOW64\sm1.bat	kdzuch.com
File created	\??\c:\windows\SysWOW64\sm1.bat	Process not Found
File opened for modification	C:\Windows\SysWOW64\ngcalz.com	Process not Found
File opened for modification	C:\Windows\SysWOW64\dmzcwj.com	Process not Found
File opened for modification	C:\Windows\SysWOW64\bljiez.com	ovgfwr.com
File opened for modification	C:\Windows\SysWOW64\zficyz.com	pgeega.com
File opened for modification	C:\Windows\SysWOW64\jpmvtq.com	Process not Found
File created	\??\c:\windows\SysWOW64\sm1.bat	Process not Found
File opened for modification	C:\Windows\SysWOW64\uxqktu.com	hyvikl.com
File created	\??\c:\windows\SysWOW64\sm1.bat	uxqktu.com
File opened for modification	C:\Windows\SysWOW64\pgzssu.com	gsyvcn.com
File created	\??\c:\windows\SysWOW64\sm1.bat	wvwnpx.com
File opened for modification	C:\Windows\SysWOW64\btfjkn.com	Process not Found
File created	C:\Windows\SysWOW64\lovwna.com	yystes.com
File created	\??\c:\windows\SysWOW64\sm1.bat	hiobdy.com
File opened for modification	C:\Windows\SysWOW64\csquel.com	sexxge.com
File created	C:\Windows\SysWOW64\adscte.com	Process not Found
File created	\??\c:\windows\SysWOW64\sm1.bat	Process not Found
File opened for modification	C:\Windows\SysWOW64\vncsju.com	fauxfp.com
File created	C:\Windows\SysWOW64\pakgsa.com	fagjib.com
File created	C:\Windows\SysWOW64\nerhyz.com	agxeqr.com
File opened for modification	C:\Windows\SysWOW64\zfzrih.com	Process not Found
File opened for modification	C:\Windows\SysWOW64\fpskja.com	Process not Found
File created	C:\Windows\SysWOW64\sazyll.com	iqjnyq.com
File opened for modification	C:\Windows\SysWOW64\aptoew.com	njklpn.com
File opened for modification	C:\Windows\SysWOW64\ybvhya.com	oguxqf.com
File created	C:\Windows\SysWOW64\nensak.com	aosxrk.com
File opened for modification	C:\Windows\SysWOW64\ijapcr.com	Process not Found

Runs .reg file with regedit 64 IoCs

pid	Process
2568	regedit.exe
2804	regedit.exe
2444	regedit.exe
1540	regedit.exe
4596	Process not Found
536	regedit.exe
3284	Process not Found
536	regedit.exe
1580	regedit.exe
2576	regedit.exe
796	regedit.exe
4540	Process not Found
2112	regedit.exe
4852	Process not Found
3012	regedit.exe
3360	regedit.exe
4876	Process not Found
2100	regedit.exe
2620	regedit.exe
2672	regedit.exe
2664	regedit.exe
3576	regedit.exe
3956	Process not Found
3660	Process not Found
4828	Process not Found
320	regedit.exe
1548	regedit.exe
3980	regedit.exe
3732	regedit.exe
2728	Process not Found
3456	Process not Found
2624	regedit.exe
1732	regedit.exe
4000	Process not Found
2868	regedit.exe
1996	regedit.exe
2844	regedit.exe
2624	regedit.exe
2324	Process not Found
4932	Process not Found
1852	regedit.exe
2284	regedit.exe
3060	regedit.exe
2272	regedit.exe
3004	regedit.exe
1652	regedit.exe
3240	regedit.exe
3200	regedit.exe
2636	Process not Found
4760	Process not Found
1924	regedit.exe
3644	regedit.exe
3824	Process not Found
4000	Process not Found
3212	Process not Found
900	regedit.exe
3528	Process not Found
396	regedit.exe
5020	Process not Found
2736	regedit.exe
704	regedit.exe
320	regedit.exe
2456	regedit.exe
4700	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1264	1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe	28
PID 1756 wrote to memory of 1264	1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe	28
PID 1756 wrote to memory of 1264	1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe	28
PID 1756 wrote to memory of 1264	1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe	28
PID 1264 wrote to memory of 2636	1264	cmd.exe	29
PID 1264 wrote to memory of 2636	1264	cmd.exe	29
PID 1264 wrote to memory of 2636	1264	cmd.exe	29
PID 1264 wrote to memory of 2636	1264	cmd.exe	29
PID 1756 wrote to memory of 2860	1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe	30
PID 1756 wrote to memory of 2860	1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe	30
PID 1756 wrote to memory of 2860	1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe	30
PID 1756 wrote to memory of 2860	1756	ade99c01a1e92f6dc5c4a4bfec9649e3.exe	30
PID 2860 wrote to memory of 1396	2860	juuezf.com	32
PID 2860 wrote to memory of 1396	2860	juuezf.com	32
PID 2860 wrote to memory of 1396	2860	juuezf.com	32
PID 2860 wrote to memory of 1396	2860	juuezf.com	32
PID 1396 wrote to memory of 784	1396	cmd.exe	31
PID 1396 wrote to memory of 784	1396	cmd.exe	31
PID 1396 wrote to memory of 784	1396	cmd.exe	31
PID 1396 wrote to memory of 784	1396	cmd.exe	31
PID 2860 wrote to memory of 1492	2860	juuezf.com	33
PID 2860 wrote to memory of 1492	2860	juuezf.com	33
PID 2860 wrote to memory of 1492	2860	juuezf.com	33
PID 2860 wrote to memory of 1492	2860	juuezf.com	33
PID 1492 wrote to memory of 1836	1492	bikjjg.com	34
PID 1492 wrote to memory of 1836	1492	bikjjg.com	34
PID 1492 wrote to memory of 1836	1492	bikjjg.com	34
PID 1492 wrote to memory of 1836	1492	bikjjg.com	34
PID 1836 wrote to memory of 1404	1836	ognesg.com	35
PID 1836 wrote to memory of 1404	1836	ognesg.com	35
PID 1836 wrote to memory of 1404	1836	ognesg.com	35
PID 1836 wrote to memory of 1404	1836	ognesg.com	35
PID 1404 wrote to memory of 976	1404	yjcofk.com	36
PID 1404 wrote to memory of 976	1404	yjcofk.com	36
PID 1404 wrote to memory of 976	1404	yjcofk.com	36
PID 1404 wrote to memory of 976	1404	yjcofk.com	36
PID 976 wrote to memory of 2120	976	lhxros.com	39
PID 976 wrote to memory of 2120	976	lhxros.com	39
PID 976 wrote to memory of 2120	976	lhxros.com	39
PID 976 wrote to memory of 2120	976	lhxros.com	39
PID 2120 wrote to memory of 1752	2120	yystes.com	38
PID 2120 wrote to memory of 1752	2120	yystes.com	38
PID 2120 wrote to memory of 1752	2120	yystes.com	38
PID 2120 wrote to memory of 1752	2120	yystes.com	38
PID 1752 wrote to memory of 2524	1752	cmd.exe	37
PID 1752 wrote to memory of 2524	1752	cmd.exe	37
PID 1752 wrote to memory of 2524	1752	cmd.exe	37
PID 1752 wrote to memory of 2524	1752	cmd.exe	37
PID 2120 wrote to memory of 2392	2120	yystes.com	40
PID 2120 wrote to memory of 2392	2120	yystes.com	40
PID 2120 wrote to memory of 2392	2120	yystes.com	40
PID 2120 wrote to memory of 2392	2120	yystes.com	40
PID 2392 wrote to memory of 2676	2392	lovwna.com	41
PID 2392 wrote to memory of 2676	2392	lovwna.com	41
PID 2392 wrote to memory of 2676	2392	lovwna.com	41
PID 2392 wrote to memory of 2676	2392	lovwna.com	41
PID 2676 wrote to memory of 536	2676	cmd.exe	42
PID 2676 wrote to memory of 536	2676	cmd.exe	42
PID 2676 wrote to memory of 536	2676	cmd.exe	42
PID 2676 wrote to memory of 536	2676	cmd.exe	42
PID 2392 wrote to memory of 1728	2392	lovwna.com	43
PID 2392 wrote to memory of 1728	2392	lovwna.com	43
PID 2392 wrote to memory of 1728	2392	lovwna.com	43
PID 2392 wrote to memory of 1728	2392	lovwna.com	43

C:\Users\Admin\AppData\Local\Temp\ade99c01a1e92f6dc5c4a4bfec9649e3.exe
"C:\Users\Admin\AppData\Local\Temp\ade99c01a1e92f6dc5c4a4bfec9649e3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\system32\sm1.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    PID:2636
- C:\Windows\SysWOW64\juuezf.com
  C:\Windows\system32\juuezf.com 504 "C:\Users\Admin\AppData\Local\Temp\ade99c01a1e92f6dc5c4a4bfec9649e3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\system32\sm1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1396
- - C:\Windows\SysWOW64\bikjjg.com
    C:\Windows\system32\bikjjg.com 540 "C:\Windows\SysWOW64\juuezf.com"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\ognesg.com
      C:\Windows\system32\ognesg.com 532 "C:\Windows\SysWOW64\bikjjg.com"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\SysWOW64\yjcofk.com
        
        C:\Windows\system32\yjcofk.com 536 "C:\Windows\SysWOW64\ognesg.com"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Windows\SysWOW64\lhxros.com
        
        C:\Windows\system32\lhxros.com 552 "C:\Windows\SysWOW64\yjcofk.com"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\yystes.com
        
        C:\Windows\system32\yystes.com 544 "C:\Windows\SysWOW64\lhxros.com"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\lovwna.com
        
        C:\Windows\system32\lovwna.com 560 "C:\Windows\SysWOW64\yystes.com"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Runs .reg file with regedit
        
        PID:536
        
        C:\Windows\SysWOW64\siubcu.com
        
        C:\Windows\system32\siubcu.com 564 "C:\Windows\SysWOW64\lovwna.com"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        10⤵
        
        PID:704
        
        C:\Windows\SysWOW64\hbqwlq.com
        
        C:\Windows\system32\hbqwlq.com 568 "C:\Windows\SysWOW64\siubcu.com"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        11⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\uslzuq.com
        
        C:\Windows\system32\uslzuq.com 572 "C:\Windows\SysWOW64\hbqwlq.com"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        12⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\hiobdy.com
        
        C:\Windows\system32\hiobdy.com 576 "C:\Windows\SysWOW64\uslzuq.com"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        13⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\rpszvx.com
        
        C:\Windows\system32\rpszvx.com 580 "C:\Windows\SysWOW64\hiobdy.com"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2476
        
        C:\Windows\SysWOW64\bshjia.com
        
        C:\Windows\system32\bshjia.com 584 "C:\Windows\SysWOW64\rpszvx.com"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        15⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        
        PID:408
        
        C:\Windows\SysWOW64\ofzzoe.com
        
        C:\Windows\system32\ofzzoe.com 588 "C:\Windows\SysWOW64\bshjia.com"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        16⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        17⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\ypojjz.com
        
        C:\Windows\system32\ypojjz.com 548 "C:\Windows\SysWOW64\ofzzoe.com"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        17⤵
        
        PID:340
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        Modifies security service
        
        PID:600
        
        C:\Windows\SysWOW64\lcgzpd.com
        
        C:\Windows\system32\lcgzpd.com 596 "C:\Windows\SysWOW64\ypojjz.com"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        18⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        19⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\vqhwfk.com
        
        C:\Windows\system32\vqhwfk.com 600 "C:\Windows\SysWOW64\lcgzpd.com"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        19⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        20⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\ihbros.com
        
        C:\Windows\system32\ihbros.com 604 "C:\Windows\SysWOW64\vqhwfk.com"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        20⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\vulpuo.com
        
        C:\Windows\system32\vulpuo.com 608 "C:\Windows\SysWOW64\ihbros.com"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        21⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\feizpr.com
        
        C:\Windows\system32\feizpr.com 612 "C:\Windows\SysWOW64\vulpuo.com"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        22⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        23⤵
        Runs .reg file with regedit
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        23⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\phyccu.com
        
        C:\Windows\system32\phyccu.com 616 "C:\Windows\SysWOW64\feizpr.com"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        23⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cuhziy.com
        
        C:\Windows\system32\cuhziy.com 620 "C:\Windows\SysWOW64\phyccu.com"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        24⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        25⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\ptkcqg.com
        
        C:\Windows\system32\ptkcqg.com 624 "C:\Windows\SysWOW64\cuhziy.com"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        25⤵
        
        PID:600
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        26⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\zvzmmb.com
        
        C:\Windows\system32\zvzmmb.com 628 "C:\Windows\SysWOW64\ptkcqg.com"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        26⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        27⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\jgppzf.com
        
        C:\Windows\system32\jgppzf.com 632 "C:\Windows\SysWOW64\zvzmmb.com"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        27⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        28⤵
        Runs .reg file with regedit
        
        PID:2624
        
        C:\Windows\SysWOW64\wwkshn.com
        
        C:\Windows\system32\wwkshn.com 636 "C:\Windows\SysWOW64\jgppzf.com"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        28⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        29⤵
        
        PID:796
        
        C:\Windows\SysWOW64\jjbpnr.com
        
        C:\Windows\system32\jjbpnr.com 644 "C:\Windows\SysWOW64\wwkshn.com"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        29⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        30⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\tqfnyp.com
        
        C:\Windows\system32\tqfnyp.com 640 "C:\Windows\SysWOW64\jjbpnr.com"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        30⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        31⤵
        
        PID:320
        
        C:\Windows\SysWOW64\dtdxts.com
        
        C:\Windows\system32\dtdxts.com 652 "C:\Windows\SysWOW64\tqfnyp.com"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        31⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        32⤵
        Runs .reg file with regedit
        
        PID:2672
        
        C:\Windows\SysWOW64\qrxabt.com
        
        C:\Windows\system32\qrxabt.com 648 "C:\Windows\SysWOW64\dtdxts.com"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        32⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        33⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\auncpw.com
        
        C:\Windows\system32\auncpw.com 656 "C:\Windows\SysWOW64\qrxabt.com"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        33⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        34⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\mwtsai.com
        
        C:\Windows\system32\mwtsai.com 660 "C:\Windows\SysWOW64\auncpw.com"
        33⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        34⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        35⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\zjkige.com
        
        C:\Windows\system32\zjkige.com 664 "C:\Windows\SysWOW64\mwtsai.com"
        34⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        35⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        36⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\jmasbh.com
        
        C:\Windows\system32\jmasbh.com 672 "C:\Windows\SysWOW64\zjkige.com"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        36⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        37⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\woginu.com
        
        C:\Windows\system32\woginu.com 668 "C:\Windows\SysWOW64\jmasbh.com"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        37⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        38⤵
        Modifies security service
        
        PID:2424
        
        C:\Windows\SysWOW64\jbpxsy.com
        
        C:\Windows\system32\jbpxsy.com 676 "C:\Windows\SysWOW64\woginu.com"
        37⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        38⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        39⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\lacvdw.com
        
        C:\Windows\system32\lacvdw.com 688 "C:\Windows\SysWOW64\jbpxsy.com"
        38⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        39⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        40⤵
        Runs .reg file with regedit
        
        PID:3060
        
        C:\Windows\SysWOW64\ycikwb.com
        
        C:\Windows\system32\ycikwb.com 680 "C:\Windows\SysWOW64\lacvdw.com"
        39⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        40⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        41⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\lscnfj.com
        
        C:\Windows\system32\lscnfj.com 684 "C:\Windows\SysWOW64\ycikwb.com"
        40⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        41⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        42⤵
        
        PID:820
        
        C:\Windows\SysWOW64\vdsxsm.com
        
        C:\Windows\system32\vdsxsm.com 696 "C:\Windows\SysWOW64\lscnfj.com"
        41⤵
        Executes dropped EXE
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        42⤵
        
        PID:396
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        43⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\iqjnyq.com
        
        C:\Windows\system32\iqjnyq.com 692 "C:\Windows\SysWOW64\vdsxsm.com"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        43⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        44⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\sazyll.com
        
        C:\Windows\system32\sazyll.com 704 "C:\Windows\SysWOW64\iqjnyq.com"
        43⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        44⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        45⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\frcact.com
        
        C:\Windows\system32\frcact.com 700 "C:\Windows\SysWOW64\sazyll.com"
        44⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        45⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        46⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\ofdgvl.com
        
        C:\Windows\system32\ofdgvl.com 472 "C:\Windows\SysWOW64\hufayr.com"
        46⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\enpobc.com
        
        C:\Windows\system32\enpobc.com 980 "C:\Windows\SysWOW64\ofdgvl.com"
        47⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        48⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        49⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        50⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\oxmypx.com
        
        C:\Windows\system32\oxmypx.com 984 "C:\Windows\SysWOW64\enpobc.com"
        48⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        49⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        50⤵
        Runs .reg file with regedit
        
        PID:2664
        
        C:\Windows\SysWOW64\bohbxg.com
        
        C:\Windows\system32\bohbxg.com 988 "C:\Windows\SysWOW64\oxmypx.com"
        49⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        50⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\lywltj.com
        
        C:\Windows\system32\lywltj.com 992 "C:\Windows\SysWOW64\bohbxg.com"
        50⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        51⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        52⤵
        Runs .reg file with regedit
        
        PID:1732
        
        C:\Windows\SysWOW64\bdfgpo.com
        
        C:\Windows\system32\bdfgpo.com 996 "C:\Windows\SysWOW64\lywltj.com"
        51⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        52⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\iodlmq.com
        
        C:\Windows\system32\iodlmq.com 1000 "C:\Windows\SysWOW64\bdfgpo.com"
        52⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        53⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        54⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\xhayvd.com
        
        C:\Windows\system32\xhayvd.com 1004 "C:\Windows\SysWOW64\iodlmq.com"
        53⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        54⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        55⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\hoedgc.com
        
        C:\Windows\system32\hoedgc.com 1008 "C:\Windows\SysWOW64\xhayvd.com"
        54⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        55⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        56⤵
        Modifies security service
        
        PID:2324
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        56⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\uiklrh.com
        
        C:\Windows\system32\uiklrh.com 1020 "C:\Windows\SysWOW64\hoedgc.com"
        55⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        56⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        57⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\hvcbfl.com
        
        C:\Windows\system32\hvcbfl.com 1012 "C:\Windows\SysWOW64\uiklrh.com"
        56⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        57⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        58⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\uxirqx.com
        
        C:\Windows\system32\uxirqx.com 1016 "C:\Windows\SysWOW64\hvcbfl.com"
        57⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        58⤵
        
        PID:772
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        59⤵
        Modifies security service
        
        PID:2200
        
        C:\Windows\SysWOW64\ewmobw.com
        
        C:\Windows\system32\ewmobw.com 1028 "C:\Windows\SysWOW64\uxirqx.com"
        58⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        59⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        60⤵
        Runs .reg file with regedit
        
        PID:2844
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        61⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\umfwhf.com
        
        C:\Windows\system32\umfwhf.com 1032 "C:\Windows\SysWOW64\ewmobw.com"
        59⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        60⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        61⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\dagtxn.com
        
        C:\Windows\system32\dagtxn.com 1036 "C:\Windows\SysWOW64\umfwhf.com"
        60⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        61⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        62⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        63⤵
        Runs .reg file with regedit
        
        PID:796
        
        C:\Windows\SysWOW64\qrbogv.com
        
        C:\Windows\system32\qrbogv.com 1040 "C:\Windows\SysWOW64\dagtxn.com"
        61⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        62⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\dekmmr.com
        
        C:\Windows\system32\dekmmr.com 1044 "C:\Windows\SysWOW64\qrbogv.com"
        62⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        63⤵
        
        PID:784
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        64⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\qgqtfd.com
        
        C:\Windows\system32\qgqtfd.com 1056 "C:\Windows\SysWOW64\dekmmr.com"
        63⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        64⤵
        
        PID:912
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        65⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\dwtwol.com
        
        C:\Windows\system32\dwtwol.com 1048 "C:\Windows\SysWOW64\qgqtfd.com"
        64⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        65⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        66⤵
        
        PID:408
        
        C:\Windows\SysWOW64\nextyk.com
        
        C:\Windows\system32\nextyk.com 1052 "C:\Windows\SysWOW64\dwtwol.com"
        65⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        66⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        67⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\pkyrok.com
        
        C:\Windows\system32\pkyrok.com 1068 "C:\Windows\SysWOW64\nextyk.com"
        66⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        67⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        68⤵
        Modifies security service
        
        PID:2024
        
        C:\Windows\SysWOW64\citufs.com
        
        C:\Windows\system32\citufs.com 1060 "C:\Windows\SysWOW64\pkyrok.com"
        67⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        68⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        69⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\pvkjlw.com
        
        C:\Windows\system32\pvkjlw.com 1064 "C:\Windows\SysWOW64\citufs.com"
        68⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        69⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        70⤵
        
        PID:340
        
        C:\Windows\SysWOW64\wdgjxl.com
        
        C:\Windows\system32\wdgjxl.com 1072 "C:\Windows\SysWOW64\pvkjlw.com"
        69⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        70⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        71⤵
        Runs .reg file with regedit
        
        PID:3004
        
        C:\Windows\SysWOW64\gfvmso.com
        
        C:\Windows\system32\gfvmso.com 1076 "C:\Windows\SysWOW64\wdgjxl.com"
        70⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        71⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        72⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\thbbeb.com
        
        C:\Windows\system32\thbbeb.com 1080 "C:\Windows\SysWOW64\gfvmso.com"
        71⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        72⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        73⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        74⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\dgfzos.com
        
        C:\Windows\system32\dgfzos.com 1084 "C:\Windows\SysWOW64\thbbeb.com"
        72⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        73⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        74⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\qficxa.com
        
        C:\Windows\system32\qficxa.com 1088 "C:\Windows\SysWOW64\dgfzos.com"
        73⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\dssrce.com
        
        C:\Windows\system32\dssrce.com 880 "C:\Windows\SysWOW64\qficxa.com"
        74⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        75⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        76⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\hmizbo.com
        
        C:\Windows\system32\hmizbo.com 592 "C:\Windows\SysWOW64\dssrce.com"
        75⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        76⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\sexxge.com
        
        C:\Windows\system32\sexxge.com 1100 "C:\Windows\SysWOW64\hmizbo.com"
        76⤵
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        77⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        78⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\csquel.com
        
        C:\Windows\system32\csquel.com 1104 "C:\Windows\SysWOW64\sexxge.com"
        77⤵
        
        PID:344
        
        C:\Windows\SysWOW64\mormmg.com
        
        C:\Windows\system32\mormmg.com 1108 "C:\Windows\SysWOW64\csquel.com"
        78⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        79⤵
        Modifies security service
        
        PID:1956
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        80⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\zemhuo.com
        
        C:\Windows\system32\zemhuo.com 1112 "C:\Windows\SysWOW64\mormmg.com"
        79⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        80⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        81⤵
        Modifies security service
        
        PID:2624
        
        C:\Windows\SysWOW64\mvokdw.com
        
        C:\Windows\system32\mvokdw.com 1116 "C:\Windows\SysWOW64\zemhuo.com"
        80⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        81⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        82⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\wjphbw.com
        
        C:\Windows\system32\wjphbw.com 1120 "C:\Windows\SysWOW64\mvokdw.com"
        81⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        82⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        83⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\jwzxha.com
        
        C:\Windows\system32\jwzxha.com 1124 "C:\Windows\SysWOW64\wjphbw.com"
        82⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        83⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        84⤵
        
        PID:912
        
        C:\Windows\SysWOW64\vyfmsm.com
        
        C:\Windows\system32\vyfmsm.com 1128 "C:\Windows\SysWOW64\jwzxha.com"
        83⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        84⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        85⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\fauxfp.com
        
        C:\Windows\system32\fauxfp.com 1132 "C:\Windows\SysWOW64\vyfmsm.com"
        84⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\vncsju.com
        
        C:\Windows\system32\vncsju.com 1136 "C:\Windows\SysWOW64\fauxfp.com"
        85⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        86⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\ftdhzc.com
        
        C:\Windows\system32\ftdhzc.com 1140 "C:\Windows\SysWOW64\vncsju.com"
        86⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        87⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        88⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\qltnms.com
        
        C:\Windows\system32\qltnms.com 1144 "C:\Windows\SysWOW64\ftdhzc.com"
        87⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        88⤵
        
        PID:280
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        89⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\zztkcz.com
        
        C:\Windows\system32\zztkcz.com 1148 "C:\Windows\SysWOW64\qltnms.com"
        88⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        89⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        90⤵
        Modifies security service
        
        PID:2484
        
        C:\Windows\SysWOW64\pdtfgf.com
        
        C:\Windows\system32\pdtfgf.com 1152 "C:\Windows\SysWOW64\zztkcz.com"
        89⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        90⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        91⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\zojpti.com
        
        C:\Windows\system32\zojpti.com 1156 "C:\Windows\SysWOW64\pdtfgf.com"
        90⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        91⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        92⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\memscq.com
        
        C:\Windows\system32\memscq.com 1160 "C:\Windows\SysWOW64\zojpti.com"
        91⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        92⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        93⤵
        Runs .reg file with regedit
        
        PID:2624
        
        C:\Windows\SysWOW64\wpbvxt.com
        
        C:\Windows\system32\wpbvxt.com 1164 "C:\Windows\SysWOW64\memscq.com"
        92⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        93⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        94⤵
        Modifies security service
        
        PID:2900
        
        C:\Windows\SysWOW64\jfwxgt.com
        
        C:\Windows\system32\jfwxgt.com 1168 "C:\Windows\SysWOW64\wpbvxt.com"
        93⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\tfidqs.com
        
        C:\Windows\system32\tfidqs.com 1172 "C:\Windows\SysWOW64\jfwxgt.com"
        94⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        95⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        96⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\dmmajr.com
        
        C:\Windows\system32\dmmajr.com 1176 "C:\Windows\SysWOW64\tfidqs.com"
        95⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        96⤵
        
        PID:808
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        97⤵
        Runs .reg file with regedit
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        97⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        98⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\qchdrz.com
        
        C:\Windows\system32\qchdrz.com 1180 "C:\Windows\SysWOW64\dmmajr.com"
        96⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        97⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        98⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1652
        
        C:\Windows\SysWOW64\abtacy.com
        
        C:\Windows\system32\abtacy.com 1184 "C:\Windows\SysWOW64\qchdrz.com"
        97⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        98⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        99⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\ndzink.com
        
        C:\Windows\system32\ndzink.com 1196 "C:\Windows\SysWOW64\abtacy.com"
        98⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        99⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        100⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\zffxzp.com
        
        C:\Windows\system32\zffxzp.com 1200 "C:\Windows\SysWOW64\ndzink.com"
        99⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        100⤵
        
        PID:656
        
        C:\Windows\SysWOW64\nspnes.com
        
        C:\Windows\system32\nspnes.com 1188 "C:\Windows\SysWOW64\zffxzp.com"
        100⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        101⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        102⤵
        Modifies security service
        
        PID:1780
        
        C:\Windows\SysWOW64\uaknzi.com
        
        C:\Windows\system32\uaknzi.com 1192 "C:\Windows\SysWOW64\nspnes.com"
        101⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        102⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        103⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\edzyml.com
        
        C:\Windows\system32\edzyml.com 1204 "C:\Windows\SysWOW64\uaknzi.com"
        102⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        103⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        104⤵
        Runs .reg file with regedit
        
        PID:2736
        
        C:\Windows\SysWOW64\okmvek.com
        
        C:\Windows\system32\okmvek.com 1208 "C:\Windows\SysWOW64\edzyml.com"
        103⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\esxvlt.com
        
        C:\Windows\system32\esxvlt.com 1212 "C:\Windows\SysWOW64\okmvek.com"
        104⤵
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        105⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        106⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\ocmfyw.com
        
        C:\Windows\system32\ocmfyw.com 1216 "C:\Windows\SysWOW64\esxvlt.com"
        105⤵
        
        PID:808
        
        C:\Windows\SysWOW64\awtvkj.com
        
        C:\Windows\system32\awtvkj.com 1220 "C:\Windows\SysWOW64\ocmfyw.com"
        106⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        107⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        108⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\njklpn.com
        
        C:\Windows\system32\njklpn.com 1224 "C:\Windows\SysWOW64\awtvkj.com"
        107⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        108⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        109⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\aptoew.com
        
        C:\Windows\system32\aptoew.com 1228 "C:\Windows\SysWOW64\njklpn.com"
        108⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        109⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        110⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\nkldjz.com
        
        C:\Windows\system32\nkldjz.com 1232 "C:\Windows\SysWOW64\aptoew.com"
        109⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        110⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        111⤵
        Runs .reg file with regedit
        
        PID:1548
        
        C:\Windows\SysWOW64\aertde.com
        
        C:\Windows\system32\aertde.com 1236 "C:\Windows\SysWOW64\nkldjz.com"
        110⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        111⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        112⤵
        
        PID:620
        
        C:\Windows\SysWOW64\ncmolm.com
        
        C:\Windows\system32\ncmolm.com 1248 "C:\Windows\SysWOW64\aertde.com"
        111⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        112⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        113⤵
        Runs .reg file with regedit
        
        PID:900
        
        C:\Windows\SysWOW64\ztpquu.com
        
        C:\Windows\system32\ztpquu.com 1240 "C:\Windows\SysWOW64\ncmolm.com"
        112⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        113⤵
        
        PID:620
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        114⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2620
        
        C:\Windows\SysWOW64\zendjo.com
        
        C:\Windows\system32\zendjo.com 1256 "C:\Windows\SysWOW64\ztpquu.com"
        113⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        114⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        115⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\jlrbcn.com
        
        C:\Windows\system32\jlrbcn.com 1244 "C:\Windows\SysWOW64\zendjo.com"
        114⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        115⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        116⤵
        
        PID:900
        
        C:\Windows\SysWOW64\tkeymm.com
        
        C:\Windows\system32\tkeymm.com 1252 "C:\Windows\SysWOW64\jlrbcn.com"
        115⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        116⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        117⤵
        Modifies security service
        
        PID:1028
        
        C:\Windows\SysWOW64\gxnosp.com
        
        C:\Windows\system32\gxnosp.com 1260 "C:\Windows\SysWOW64\tkeymm.com"
        116⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        117⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        118⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\qlolqp.com
        
        C:\Windows\system32\qlolqp.com 1264 "C:\Windows\SysWOW64\gxnosp.com"
        117⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        118⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        119⤵
        Modifies security service
        
        PID:1004
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        119⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\dcroyx.com
        
        C:\Windows\system32\dcroyx.com 1268 "C:\Windows\SysWOW64\qlolqp.com"
        118⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        119⤵
        
        PID:560
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        120⤵
        Modifies security service
        
        PID:1772
        
        C:\Windows\SysWOW64\nbvljw.com
        
        C:\Windows\system32\nbvljw.com 524 "C:\Windows\SysWOW64\dcroyx.com"
        119⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        120⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        121⤵
        
        PID:620
        
        C:\Windows\SysWOW64\snotcg.com
        
        C:\Windows\system32\snotcg.com 1276 "C:\Windows\SysWOW64\nbvljw.com"
        120⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        121⤵
        
        PID:704
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        122⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\fagjib.com
        
        C:\Windows\system32\fagjib.com 1280 "C:\Windows\SysWOW64\snotcg.com"
        121⤵
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        122⤵
        
        PID:408
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        123⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\pakgsa.com
        
        C:\Windows\system32\pakgsa.com 1292 "C:\Windows\SysWOW64\fagjib.com"
        122⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        123⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        124⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        125⤵
        
        PID:280
        
        C:\Windows\SysWOW64\zkzrnd.com
        
        C:\Windows\system32\zkzrnd.com 1284 "C:\Windows\SysWOW64\pakgsa.com"
        123⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        124⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\jjloyc.com
        
        C:\Windows\system32\jjloyc.com 1288 "C:\Windows\SysWOW64\zkzrnd.com"
        124⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        125⤵
        
        PID:868
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        126⤵
        Runs .reg file with regedit
        
        PID:2576
        
        C:\Windows\SysWOW64\qrzgkr.com
        
        C:\Windows\system32\qrzgkr.com 1296 "C:\Windows\SysWOW64\jjloyc.com"
        125⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        126⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        127⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\ysyhzg.com
        
        C:\Windows\system32\ysyhzg.com 1300 "C:\Windows\SysWOW64\qrzgkr.com"
        126⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        127⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        128⤵
        Runs .reg file with regedit
        
        PID:704
        
        C:\Windows\SysWOW64\qgwmji.com
        
        C:\Windows\system32\qgwmji.com 1304 "C:\Windows\SysWOW64\ysyhzg.com"
        127⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        128⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        129⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\derosq.com
        
        C:\Windows\system32\derosq.com 1308 "C:\Windows\SysWOW64\qgwmji.com"
        128⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        129⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        130⤵
        Runs .reg file with regedit
        
        PID:320
        
        C:\Windows\SysWOW64\inwjow.com
        
        C:\Windows\system32\inwjow.com 1312 "C:\Windows\SysWOW64\derosq.com"
        129⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        130⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\ajnory.com
        
        C:\Windows\system32\ajnory.com 1316 "C:\Windows\SysWOW64\inwjow.com"
        130⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        131⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        132⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\nzprzg.com
        
        C:\Windows\system32\nzprzg.com 1320 "C:\Windows\SysWOW64\ajnory.com"
        131⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        132⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        133⤵
        Modifies security service
        
        PID:1380
        
        C:\Windows\SysWOW64\wkfcuj.com
        
        C:\Windows\system32\wkfcuj.com 1340 "C:\Windows\SysWOW64\nzprzg.com"
        132⤵
        Drops file in System32 directory
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        133⤵
        
        PID:348
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        134⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\jbaedj.com
        
        C:\Windows\system32\jbaedj.com 1324 "C:\Windows\SysWOW64\wkfcuj.com"
        133⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        134⤵
        
        PID:704
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        135⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\tamcni.com
        
        C:\Windows\system32\tamcni.com 1328 "C:\Windows\SysWOW64\jbaedj.com"
        134⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        135⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        136⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\jqxcuz.com
        
        C:\Windows\system32\jqxcuz.com 1332 "C:\Windows\SysWOW64\tamcni.com"
        135⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        136⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        137⤵
        Runs .reg file with regedit
        
        PID:2444
        
        C:\Windows\SysWOW64\oguxqf.com
        
        C:\Windows\system32\oguxqf.com 1336 "C:\Windows\SysWOW64\jqxcuz.com"
        136⤵
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        137⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        138⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\ybvhya.com
        
        C:\Windows\system32\ybvhya.com 1344 "C:\Windows\SysWOW64\oguxqf.com"
        137⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        138⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        139⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\fnuuvu.com
        
        C:\Windows\system32\fnuuvu.com 1348 "C:\Windows\SysWOW64\ybvhya.com"
        138⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        139⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        140⤵
        
        PID:704
        
        C:\Windows\SysWOW64\salkbx.com
        
        C:\Windows\system32\salkbx.com 1352 "C:\Windows\SysWOW64\fnuuvu.com"
        139⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        140⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        141⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\xqqxxl.com
        
        C:\Windows\system32\xqqxxl.com 1356 "C:\Windows\SysWOW64\salkbx.com"
        140⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        141⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        142⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\kdzuch.com
        
        C:\Windows\system32\kdzuch.com 1360 "C:\Windows\SysWOW64\xqqxxl.com"
        141⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        142⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\uraktp.com
        
        C:\Windows\system32\uraktp.com 1364 "C:\Windows\SysWOW64\kdzuch.com"
        142⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        143⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        144⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        144⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\hivmbx.com
        
        C:\Windows\system32\hivmbx.com 1368 "C:\Windows\SysWOW64\uraktp.com"
        143⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        144⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        145⤵
        
        PID:640
        
        C:\Windows\SysWOW64\ugypkx.com
        
        C:\Windows\system32\ugypkx.com 1372 "C:\Windows\SysWOW64\hivmbx.com"
        144⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        145⤵
        
        PID:760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        146⤵
        Modifies security service
        
        PID:2568
        
        C:\Windows\SysWOW64\wtasfx.com
        
        C:\Windows\system32\wtasfx.com 1376 "C:\Windows\SysWOW64\ugypkx.com"
        145⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        146⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        147⤵
        Modifies security service
        
        PID:1808
        
        C:\Windows\SysWOW64\euzstm.com
        
        C:\Windows\system32\euzstm.com 1380 "C:\Windows\SysWOW64\wtasfx.com"
        146⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        147⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        148⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\niapju.com
        
        C:\Windows\system32\niapju.com 1384 "C:\Windows\SysWOW64\euzstm.com"
        147⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        148⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        149⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\azvssu.com
        
        C:\Windows\system32\azvssu.com 1392 "C:\Windows\SysWOW64\niapju.com"
        148⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        149⤵
        
        PID:868
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        150⤵
        
        PID:780
        
        C:\Windows\SysWOW64\npqvjc.com
        
        C:\Windows\system32\npqvjc.com 1388 "C:\Windows\SysWOW64\azvssu.com"
        149⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        150⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\aosxrk.com
        
        C:\Windows\system32\aosxrk.com 1396 "C:\Windows\SysWOW64\npqvjc.com"
        150⤵
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        151⤵
        
        PID:280
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        152⤵
        
        PID:576
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        152⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\nensak.com
        
        C:\Windows\system32\nensak.com 1400 "C:\Windows\SysWOW64\aosxrk.com"
        151⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        152⤵
        
        PID:536
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        153⤵
        
        PID:408
        
        C:\Windows\SysWOW64\xsopqs.com
        
        C:\Windows\system32\xsopqs.com 1404 "C:\Windows\SysWOW64\nensak.com"
        152⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        153⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        154⤵
        Modifies security service
        
        PID:1044
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        154⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\kfffww.com
        
        C:\Windows\system32\kfffww.com 1408 "C:\Windows\SysWOW64\xsopqs.com"
        153⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        154⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        155⤵
        
        PID:780
        
        C:\Windows\SysWOW64\rjisnh.com
        
        C:\Windows\system32\rjisnh.com 1412 "C:\Windows\SysWOW64\kfffww.com"
        154⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        155⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        156⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cjuqxf.com
        
        C:\Windows\system32\cjuqxf.com 1416 "C:\Windows\SysWOW64\rjisnh.com"
        155⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\olafjs.com
        
        C:\Windows\system32\olafjs.com 1420 "C:\Windows\SysWOW64\cjuqxf.com"
        156⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        157⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        158⤵
        Modifies security service
        
        PID:1208
        
        C:\Windows\SysWOW64\qnpqev.com
        
        C:\Windows\system32\qnpqev.com 1424 "C:\Windows\SysWOW64\olafjs.com"
        157⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\dmksnv.com
        
        C:\Windows\system32\dmksnv.com 1428 "C:\Windows\SysWOW64\qnpqev.com"
        158⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        159⤵
        
        PID:712
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        160⤵
        Runs .reg file with regedit
        
        PID:396
        
        C:\Windows\SysWOW64\tudsun.com
        
        C:\Windows\system32\tudsun.com 1432 "C:\Windows\SysWOW64\dmksnv.com"
        159⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        160⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        161⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\gsyvcn.com
        
        C:\Windows\system32\gsyvcn.com 1436 "C:\Windows\SysWOW64\tudsun.com"
        160⤵
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        161⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        162⤵
        
        PID:696
        
        C:\Windows\SysWOW64\pgzssu.com
        
        C:\Windows\system32\pgzssu.com 1440 "C:\Windows\SysWOW64\gsyvcn.com"
        161⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        162⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cxuvbd.com
        
        C:\Windows\system32\cxuvbd.com 1444 "C:\Windows\SysWOW64\pgzssu.com"
        162⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        163⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        164⤵
        Modifies security service
        
        PID:2504
        
        C:\Windows\SysWOW64\pnpyjd.com
        
        C:\Windows\system32\pnpyjd.com 1448 "C:\Windows\SysWOW64\cxuvbd.com"
        163⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        164⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmrbsl.com
        
        C:\Windows\system32\cmrbsl.com 1452 "C:\Windows\SysWOW64\pnpyjd.com"
        164⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        165⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        166⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\mohlno.com
        
        C:\Windows\system32\mohlno.com 1456 "C:\Windows\SysWOW64\cmrbsl.com"
        165⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        166⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        167⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\zqntza.com
        
        C:\Windows\system32\zqntza.com 1460 "C:\Windows\SysWOW64\mohlno.com"
        166⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        167⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        168⤵
        
        PID:868
        
        C:\Windows\SysWOW64\lmqlra.com
        
        C:\Windows\system32\lmqlra.com 476 "C:\Windows\SysWOW64\gzwdxy.com"
        169⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\yklnzi.com
        
        C:\Windows\system32\yklnzi.com 480 "C:\Windows\SysWOW64\lmqlra.com"
        170⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        171⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        172⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\igmyhc.com
        
        C:\Windows\system32\igmyhc.com 1668 "C:\Windows\SysWOW64\yklnzi.com"
        171⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        172⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        173⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\tfqvzb.com
        
        C:\Windows\system32\tfqvzb.com 1660 "C:\Windows\SysWOW64\igmyhc.com"
        172⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        173⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\xkjdld.com
        
        C:\Windows\system32\xkjdld.com 1676 "C:\Windows\SysWOW64\tfqvzb.com"
        173⤵
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        174⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        175⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\fdiiif.com
        
        C:\Windows\system32\fdiiif.com 1680 "C:\Windows\SysWOW64\xkjdld.com"
        174⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        175⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        176⤵
        Runs .reg file with regedit
        
        PID:1540
        
        C:\Windows\SysWOW64\pyjbpz.com
        
        C:\Windows\system32\pyjbpz.com 1684 "C:\Windows\SysWOW64\fdiiif.com"
        175⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        176⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        177⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\zxnyiy.com
        
        C:\Windows\system32\zxnyiy.com 1688 "C:\Windows\SysWOW64\pyjbpz.com"
        176⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        177⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        178⤵
        Modifies security service
        
        PID:3328
        
        C:\Windows\SysWOW64\eoslwe.com
        
        C:\Windows\system32\eoslwe.com 1692 "C:\Windows\SysWOW64\zxnyiy.com"
        177⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        178⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        179⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\qqybpq.com
        
        C:\Windows\system32\qqybpq.com 1696 "C:\Windows\SysWOW64\eoslwe.com"
        178⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        179⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        180⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\blzlxl.com
        
        C:\Windows\system32\blzlxl.com 1700 "C:\Windows\SysWOW64\qqybpq.com"
        179⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        180⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        181⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\octofl.com
        
        C:\Windows\system32\octofl.com 1704 "C:\Windows\SysWOW64\blzlxl.com"
        180⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        181⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        182⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\yejyso.com
        
        C:\Windows\system32\yejyso.com 1708 "C:\Windows\SysWOW64\octofl.com"
        181⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        182⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        183⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\kdmbbw.com
        
        C:\Windows\system32\kdmbbw.com 1712 "C:\Windows\SysWOW64\yejyso.com"
        182⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        183⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\xtgese.com
        
        C:\Windows\system32\xtgese.com 1716 "C:\Windows\SysWOW64\kdmbbw.com"
        183⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        184⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        185⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\ksbgaf.com
        
        C:\Windows\system32\ksbgaf.com 1720 "C:\Windows\SysWOW64\xtgese.com"
        184⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        185⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        186⤵
        Modifies security service
        
        PID:576
        
        C:\Windows\SysWOW64\uyceqm.com
        
        C:\Windows\system32\uyceqm.com 1664 "C:\Windows\SysWOW64\ksbgaf.com"
        185⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        186⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        187⤵
        Modifies security service
        
        PID:2136
        
        C:\Windows\SysWOW64\efobbl.com
        
        C:\Windows\system32\efobbl.com 1728 "C:\Windows\SysWOW64\uyceqm.com"
        186⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        187⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        188⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\mjqgsw.com
        
        C:\Windows\system32\mjqgsw.com 1672 "C:\Windows\SysWOW64\efobbl.com"
        187⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        188⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        189⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\tgatkp.com
        
        C:\Windows\system32\tgatkp.com 1724 "C:\Windows\SysWOW64\mjqgsw.com"
        188⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        189⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\ebbmrk.com
        
        C:\Windows\system32\ebbmrk.com 1740 "C:\Windows\SysWOW64\tgatkp.com"
        189⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        190⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        191⤵
        Modifies security service
        
        PID:3944
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        192⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\qdhudo.com
        
        C:\Windows\system32\qdhudo.com 1744 "C:\Windows\SysWOW64\ebbmrk.com"
        190⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        191⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        192⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\agxeqr.com
        
        C:\Windows\system32\agxeqr.com 1748 "C:\Windows\SysWOW64\qdhudo.com"
        191⤵
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        192⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        193⤵
        Modifies security service
        
        PID:4032
        
        C:\Windows\SysWOW64\nerhyz.com
        
        C:\Windows\system32\nerhyz.com 1752 "C:\Windows\SysWOW64\agxeqr.com"
        192⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        193⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        194⤵
        Modifies security service
        
        PID:3020
        
        C:\Windows\SysWOW64\xdeery.com
        
        C:\Windows\system32\xdeery.com 1756 "C:\Windows\SysWOW64\nerhyz.com"
        193⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        194⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        195⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\azewyt.com
        
        C:\Windows\system32\azewyt.com 1760 "C:\Windows\SysWOW64\xdeery.com"
        194⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        195⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        196⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\kjuhmw.com
        
        C:\Windows\system32\kjuhmw.com 1764 "C:\Windows\SysWOW64\azewyt.com"
        195⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        196⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        197⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\xapccw.com
        
        C:\Windows\system32\xapccw.com 1768 "C:\Windows\SysWOW64\kjuhmw.com"
        196⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        197⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        198⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\jqjele.com
        
        C:\Windows\system32\jqjele.com 1772 "C:\Windows\SysWOW64\xapccw.com"
        197⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        198⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        199⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\tbhpyh.com
        
        C:\Windows\system32\tbhpyh.com 1776 "C:\Windows\SysWOW64\jqjele.com"
        198⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        199⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        200⤵
        Runs .reg file with regedit
        
        PID:2456
        
        C:\Windows\SysWOW64\yrejuv.com
        
        C:\Windows\system32\yrejuv.com 1780 "C:\Windows\SysWOW64\tbhpyh.com"
        199⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        200⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        201⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\gwoxeg.com
        
        C:\Windows\system32\gwoxeg.com 1784 "C:\Windows\SysWOW64\yrejuv.com"
        200⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        201⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        202⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\tjfmrk.com
        
        C:\Windows\system32\tjfmrk.com 1788 "C:\Windows\SysWOW64\gwoxeg.com"
        201⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        202⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        203⤵
        Modifies security service
        
        PID:3484
        
        C:\Windows\SysWOW64\dlvxff.com
        
        C:\Windows\system32\dlvxff.com 1732 "C:\Windows\SysWOW64\tjfmrk.com"
        202⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        203⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        204⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\kpfcoy.com
        
        C:\Windows\system32\kpfcoy.com 1572 "C:\Windows\SysWOW64\dlvxff.com"
        203⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\pgcxke.com
        
        C:\Windows\system32\pgcxke.com 1800 "C:\Windows\SysWOW64\kpfcoy.com"
        204⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        205⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        206⤵
        Runs .reg file with regedit
        
        PID:3980
        
        C:\Windows\SysWOW64\zfoucd.com
        
        C:\Windows\system32\zfoucd.com 1804 "C:\Windows\SysWOW64\pgcxke.com"
        205⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        206⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        207⤵
        Modifies security service
        
        PID:4068
        
        C:\Windows\SysWOW64\mdjxll.com
        
        C:\Windows\system32\mdjxll.com 1808 "C:\Windows\SysWOW64\zfoucd.com"
        206⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        207⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        208⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\wgyhyo.com
        
        C:\Windows\system32\wgyhyo.com 1812 "C:\Windows\SysWOW64\mdjxll.com"
        207⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        208⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        209⤵
        Runs .reg file with regedit
        
        PID:3576
        
        C:\Windows\SysWOW64\jetkhx.com
        
        C:\Windows\system32\jetkhx.com 1816 "C:\Windows\SysWOW64\wgyhyo.com"
        208⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        209⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        210⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\wvwnpx.com
        
        C:\Windows\system32\wvwnpx.com 1820 "C:\Windows\SysWOW64\jetkhx.com"
        209⤵
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        210⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        211⤵
        Runs .reg file with regedit
        
        PID:3732
        
        C:\Windows\SysWOW64\guakiv.com
        
        C:\Windows\system32\guakiv.com 1824 "C:\Windows\SysWOW64\wvwnpx.com"
        210⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        211⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        212⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\qqbupq.com
        
        C:\Windows\system32\qqbupq.com 1828 "C:\Windows\SysWOW64\guakiv.com"
        211⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        212⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        213⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\gjxpze.com
        
        C:\Windows\system32\gjxpze.com 1832 "C:\Windows\SysWOW64\qqbupq.com"
        212⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        213⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        214⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\pxyfpl.com
        
        C:\Windows\system32\pxyfpl.com 1836 "C:\Windows\SysWOW64\gjxpze.com"
        213⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        214⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        215⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cntiyt.com
        
        C:\Windows\system32\cntiyt.com 1840 "C:\Windows\SysWOW64\pxyfpl.com"
        214⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        215⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        216⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\pmokgc.com
        
        C:\Windows\system32\pmokgc.com 1844 "C:\Windows\SysWOW64\cntiyt.com"
        215⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        216⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        217⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\ccqnxc.com
        
        C:\Windows\system32\ccqnxc.com 1848 "C:\Windows\SysWOW64\pmokgc.com"
        216⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        217⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        218⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\mngxkf.com
        
        C:\Windows\system32\mngxkf.com 1852 "C:\Windows\SysWOW64\ccqnxc.com"
        217⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        218⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        219⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\zebatn.com
        
        C:\Windows\system32\zebatn.com 1856 "C:\Windows\SysWOW64\mngxkf.com"
        218⤵
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        219⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\muddbv.com
        
        C:\Windows\system32\muddbv.com 1860 "C:\Windows\SysWOW64\zebatn.com"
        219⤵
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        220⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        221⤵
        Modifies security service
        
        PID:872
        
        C:\Windows\SysWOW64\ztyfkv.com
        
        C:\Windows\system32\ztyfkv.com 1864 "C:\Windows\SysWOW64\muddbv.com"
        220⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        221⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        222⤵
        Modifies security service
        
        PID:3084
        
        C:\Windows\SysWOW64\ihzdid.com
        
        C:\Windows\system32\ihzdid.com 1868 "C:\Windows\SysWOW64\ztyfkv.com"
        221⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        222⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        223⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\vuisoh.com
        
        C:\Windows\system32\vuisoh.com 1872 "C:\Windows\SysWOW64\ihzdid.com"
        222⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        223⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        224⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\iooazl.com
        
        C:\Windows\system32\iooazl.com 1876 "C:\Windows\SysWOW64\vuisoh.com"
        223⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        224⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        225⤵
        Modifies security service
        
        PID:3424
        
        C:\Windows\SysWOW64\vmrdit.com
        
        C:\Windows\system32\vmrdit.com 1880 "C:\Windows\SysWOW64\iooazl.com"
        224⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        225⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        226⤵
        Runs .reg file with regedit
        
        PID:3644
        
        C:\Windows\SysWOW64\idmfqb.com
        
        C:\Windows\system32\idmfqb.com 1892 "C:\Windows\SysWOW64\vmrdit.com"
        225⤵
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        226⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        227⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\scqdba.com
        
        C:\Windows\system32\scqdba.com 1884 "C:\Windows\SysWOW64\idmfqb.com"
        226⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        227⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cqraza.com
        
        C:\Windows\system32\cqraza.com 1888 "C:\Windows\SysWOW64\scqdba.com"
        227⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        228⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        229⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\sczvdn.com
        
        C:\Windows\system32\sczvdn.com 1896 "C:\Windows\SysWOW64\cqraza.com"
        228⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        229⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        230⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\utnlbs.com
        
        C:\Windows\system32\utnlbs.com 1900 "C:\Windows\SysWOW64\sczvdn.com"
        229⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        230⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        231⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\bumlhy.com
        
        C:\Windows\system32\bumlhy.com 1904 "C:\Windows\SysWOW64\utnlbs.com"
        230⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        231⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\linafg.com
        
        C:\Windows\system32\linafg.com 1908 "C:\Windows\SysWOW64\bumlhy.com"
        231⤵
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        232⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        233⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\yyhdoo.com
        
        C:\Windows\system32\yyhdoo.com 1912 "C:\Windows\SysWOW64\linafg.com"
        232⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        169⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\mdeiew.com
        
        C:\Windows\system32\mdeiew.com 1464 "C:\Windows\SysWOW64\zqntza.com"
        167⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        168⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        169⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\thhvwp.com
        
        C:\Windows\system32\thhvwp.com 1468 "C:\Windows\SysWOW64\mdeiew.com"
        168⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        169⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        170⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\ybxvna.com
        
        C:\Windows\system32\ybxvna.com 516 "C:\Windows\SysWOW64\thhvwp.com"
        169⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        170⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        171⤵
        
        PID:576
        
        C:\Windows\SysWOW64\laryvi.com
        
        C:\Windows\system32\laryvi.com 1476 "C:\Windows\SysWOW64\ybxvna.com"
        170⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        171⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        172⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\swclnt.com
        
        C:\Windows\system32\swclnt.com 1480 "C:\Windows\SysWOW64\laryvi.com"
        171⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\drcwun.com
        
        C:\Windows\system32\drcwun.com 964 "C:\Windows\SysWOW64\swclnt.com"
        172⤵
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        74⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        46⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\shwdkb.com
        
        C:\Windows\system32\shwdkb.com 712 "C:\Windows\SysWOW64\frcact.com"
        45⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        46⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        47⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\bvxsaj.com
        
        C:\Windows\system32\bvxsaj.com 708 "C:\Windows\SysWOW64\shwdkb.com"
        46⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        47⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        48⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\lvbqli.com
        
        C:\Windows\system32\lvbqli.com 716 "C:\Windows\SysWOW64\bvxsaj.com"
        47⤵
        Executes dropped EXE
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        48⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        49⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\ytesti.com
        
        C:\Windows\system32\ytesti.com 720 "C:\Windows\SysWOW64\lvbqli.com"
        48⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        49⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        50⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\lvkinu.com
        
        C:\Windows\system32\lvkinu.com 724 "C:\Windows\SysWOW64\ytesti.com"
        49⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        50⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        51⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        52⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\ymflvu.com
        
        C:\Windows\system32\ymflvu.com 728 "C:\Windows\SysWOW64\lvkinu.com"
        50⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        51⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        52⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\lzoaby.com
        
        C:\Windows\system32\lzoaby.com 732 "C:\Windows\SysWOW64\ymflvu.com"
        51⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        52⤵
        
        PID:808
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        53⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\vjmlob.com
        
        C:\Windows\system32\vjmlob.com 736 "C:\Windows\SysWOW64\lzoaby.com"
        52⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        53⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        54⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\iahoxk.com
        
        C:\Windows\system32\iahoxk.com 740 "C:\Windows\SysWOW64\vjmlob.com"
        53⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        54⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        55⤵
        Runs .reg file with regedit
        
        PID:2568
        
        C:\Windows\SysWOW64\scwysn.com
        
        C:\Windows\system32\scwysn.com 748 "C:\Windows\SysWOW64\iahoxk.com"
        54⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        55⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        56⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\fbrbbn.com
        
        C:\Windows\system32\fbrbbn.com 752 "C:\Windows\SysWOW64\scwysn.com"
        55⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        56⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        57⤵
        Modifies security service
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        58⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        59⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\pdoloq.com
        
        C:\Windows\system32\pdoloq.com 744 "C:\Windows\SysWOW64\fbrbbn.com"
        56⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        57⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        58⤵
        Modifies security service
        
        PID:2996
        
        C:\Windows\SysWOW64\ccjoxy.com
        
        C:\Windows\system32\ccjoxy.com 756 "C:\Windows\SysWOW64\pdoloq.com"
        57⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        58⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        59⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\ppadcc.com
        
        C:\Windows\system32\ppadcc.com 760 "C:\Windows\SysWOW64\ccjoxy.com"
        58⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        59⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        60⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\ydtbab.com
        
        C:\Windows\system32\ydtbab.com 772 "C:\Windows\SysWOW64\ppadcc.com"
        59⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        60⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        61⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\lqlrgf.com
        
        C:\Windows\system32\lqlrgf.com 764 "C:\Windows\SysWOW64\ydtbab.com"
        60⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        61⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        62⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\ygftpn.com
        
        C:\Windows\system32\ygftpn.com 768 "C:\Windows\SysWOW64\lqlrgf.com"
        61⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        62⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        63⤵
        Runs .reg file with regedit
        
        PID:2868
        
        C:\Windows\SysWOW64\jnsrzm.com
        
        C:\Windows\system32\jnsrzm.com 776 "C:\Windows\SysWOW64\ygftpn.com"
        62⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        63⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        64⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        65⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\vhyylr.com
        
        C:\Windows\system32\vhyylr.com 780 "C:\Windows\SysWOW64\jnsrzm.com"
        63⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        64⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        65⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\fsnjgu.com
        
        C:\Windows\system32\fsnjgu.com 784 "C:\Windows\SysWOW64\vhyylr.com"
        64⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        65⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        66⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\sjiloc.com
        
        C:\Windows\system32\sjiloc.com 788 "C:\Windows\SysWOW64\fsnjgu.com"
        65⤵
        Executes dropped EXE
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        66⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        67⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\ciujzb.com
        
        C:\Windows\system32\ciujzb.com 792 "C:\Windows\SysWOW64\sjiloc.com"
        66⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        67⤵
        
        PID:656
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        68⤵
        
        PID:340
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        68⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\pgplij.com
        
        C:\Windows\system32\pgplij.com 796 "C:\Windows\SysWOW64\ciujzb.com"
        67⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        68⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        69⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\zjewde.com
        
        C:\Windows\system32\zjewde.com 800 "C:\Windows\SysWOW64\pgplij.com"
        68⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        69⤵
        
        PID:868
        
        C:\Windows\SysWOW64\mlkmoq.com
        
        C:\Windows\system32\mlkmoq.com 804 "C:\Windows\SysWOW64\zjewde.com"
        69⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        70⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        71⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\zycbuu.com
        
        C:\Windows\system32\zycbuu.com 808 "C:\Windows\SysWOW64\mlkmoq.com"
        70⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        71⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        72⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        72⤵
        Runs .reg file with regedit
        
        PID:3012
        
        C:\Windows\SysWOW64\jirmhx.com
        
        C:\Windows\system32\jirmhx.com 812 "C:\Windows\SysWOW64\zycbuu.com"
        71⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        72⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        73⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\teswxs.com
        
        C:\Windows\system32\teswxs.com 816 "C:\Windows\SysWOW64\jirmhx.com"
        72⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        73⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        74⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        74⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2272
        
        C:\Windows\SysWOW64\dhhgkv.com
        
        C:\Windows\system32\dhhgkv.com 820 "C:\Windows\SysWOW64\teswxs.com"
        73⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        74⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        75⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\qxcjtv.com
        
        C:\Windows\system32\qxcjtv.com 824 "C:\Windows\SysWOW64\dhhgkv.com"
        74⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        75⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        76⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\dvfmbd.com
        
        C:\Windows\system32\dvfmbd.com 832 "C:\Windows\SysWOW64\qxcjtv.com"
        75⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        76⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        77⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\qmapkm.com
        
        C:\Windows\system32\qmapkm.com 828 "C:\Windows\SysWOW64\dvfmbd.com"
        76⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        77⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        78⤵
        
        PID:496
        
        C:\Windows\SysWOW64\zaamil.com
        
        C:\Windows\system32\zaamil.com 836 "C:\Windows\SysWOW64\qmapkm.com"
        77⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        78⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        79⤵
        
        PID:268
        
        C:\Windows\SysWOW64\mrvpqt.com
        
        C:\Windows\system32\mrvpqt.com 848 "C:\Windows\SysWOW64\zaamil.com"
        78⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        79⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        80⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\zpqrzb.com
        
        C:\Windows\system32\zpqrzb.com 840 "C:\Windows\SysWOW64\mrvpqt.com"
        79⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        80⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        81⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\mgtuib.com
        
        C:\Windows\system32\mgtuib.com 844 "C:\Windows\SysWOW64\zpqrzb.com"
        80⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        81⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        82⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\zeoxqk.com
        
        C:\Windows\system32\zeoxqk.com 852 "C:\Windows\SysWOW64\mgtuib.com"
        81⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        82⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        83⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\mvirzs.com
        
        C:\Windows\system32\mvirzs.com 856 "C:\Windows\SysWOW64\zeoxqk.com"
        82⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        83⤵
        
        PID:408
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        84⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\wjjpxz.com
        
        C:\Windows\system32\wjjpxz.com 860 "C:\Windows\SysWOW64\mvirzs.com"
        83⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        84⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        85⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\izmrgz.com
        
        C:\Windows\system32\izmrgz.com 864 "C:\Windows\SysWOW64\wjjpxz.com"
        84⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        85⤵
        
        PID:796
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        86⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        87⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        88⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\nyhuoi.com
        
        C:\Windows\system32\nyhuoi.com 868 "C:\Windows\SysWOW64\izmrgz.com"
        85⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        86⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        87⤵
        
        PID:320
        
        C:\Windows\SysWOW64\vurhyt.com
        
        C:\Windows\system32\vurhyt.com 872 "C:\Windows\SysWOW64\nyhuoi.com"
        86⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        87⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        88⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\hzicmj.com
        
        C:\Windows\system32\hzicmj.com 876 "C:\Windows\SysWOW64\vurhyt.com"
        87⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        88⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        89⤵
        
        PID:640
        
        C:\Windows\SysWOW64\svbmbe.com
        
        C:\Windows\system32\svbmbe.com 492 "C:\Windows\SysWOW64\hzicmj.com"
        88⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        89⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\zdxmot.com
        
        C:\Windows\system32\zdxmot.com 496 "C:\Windows\SysWOW64\svbmbe.com"
        89⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        90⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        91⤵
        Runs .reg file with regedit
        
        PID:2100
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        92⤵
        Runs .reg file with regedit
        
        PID:536
        
        C:\Windows\SysWOW64\hskfij.com
        
        C:\Windows\system32\hskfij.com 888 "C:\Windows\SysWOW64\zdxmot.com"
        90⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        91⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\rrwcsi.com
        
        C:\Windows\system32\rrwcsi.com 892 "C:\Windows\SysWOW64\hskfij.com"
        91⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        92⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        93⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\eegayl.com
        
        C:\Windows\system32\eegayl.com 896 "C:\Windows\SysWOW64\rrwcsi.com"
        92⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        93⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        94⤵
        Runs .reg file with regedit
        
        PID:1580
        
        C:\Windows\SysWOW64\ohdcto.com
        
        C:\Windows\system32\ohdcto.com 900 "C:\Windows\SysWOW64\eegayl.com"
        93⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        94⤵
        
        PID:296
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        95⤵
        
        PID:292
        
        C:\Windows\SysWOW64\ajjsft.com
        
        C:\Windows\system32\ajjsft.com 904 "C:\Windows\SysWOW64\ohdcto.com"
        94⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        95⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        96⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\lfckmv.com
        
        C:\Windows\system32\lfckmv.com 912 "C:\Windows\SysWOW64\ajjsft.com"
        95⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        96⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        97⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\ydfnvw.com
        
        C:\Windows\system32\ydfnvw.com 908 "C:\Windows\SysWOW64\lfckmv.com"
        96⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        97⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\icjknu.com
        
        C:\Windows\system32\icjknu.com 916 "C:\Windows\SysWOW64\ydfnvw.com"
        97⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        98⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        99⤵
        Runs .reg file with regedit
        
        PID:1996
        
        C:\Windows\SysWOW64\uiafcl.com
        
        C:\Windows\system32\uiafcl.com 920 "C:\Windows\SysWOW64\icjknu.com"
        98⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        99⤵
        
        PID:296
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        100⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\hyvikl.com
        
        C:\Windows\system32\hyvikl.com 932 "C:\Windows\SysWOW64\uiafcl.com"
        99⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        100⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        101⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\uxqktu.com
        
        C:\Windows\system32\uxqktu.com 924 "C:\Windows\SysWOW64\hyvikl.com"
        100⤵
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        101⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        102⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\ewcids.com
        
        C:\Windows\system32\ewcids.com 928 "C:\Windows\SysWOW64\uxqktu.com"
        101⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        102⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        103⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\ovgfwr.com
        
        C:\Windows\system32\ovgfwr.com 936 "C:\Windows\SysWOW64\ewcids.com"
        102⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        103⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        104⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\bljiez.com
        
        C:\Windows\system32\bljiez.com 940 "C:\Windows\SysWOW64\ovgfwr.com"
        103⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        104⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        105⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\orslsi.com
        
        C:\Windows\system32\orslsi.com 944 "C:\Windows\SysWOW64\bljiez.com"
        104⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        105⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        106⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\lloyjl.com
        
        C:\Windows\system32\lloyjl.com 556 "C:\Windows\SysWOW64\orslsi.com"
        105⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        106⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        107⤵
        
        PID:772
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        107⤵
        Runs .reg file with regedit
        
        PID:1924
        
        C:\Windows\SysWOW64\dzndtm.com
        
        C:\Windows\system32\dzndtm.com 952 "C:\Windows\SysWOW64\lloyjl.com"
        106⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        107⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\nyrael.com
        
        C:\Windows\system32\nyrael.com 512 "C:\Windows\SysWOW64\dzndtm.com"
        107⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        108⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        109⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\xjolzo.com
        
        C:\Windows\system32\xjolzo.com 960 "C:\Windows\SysWOW64\nyrael.com"
        108⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\hisijn.com
        
        C:\Windows\system32\hisijn.com 460 "C:\Windows\SysWOW64\xjolzo.com"
        109⤵
        Modifies security service
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        110⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        111⤵
        Modifies security service
        
        PID:1020
        
        C:\Windows\SysWOW64\uvkypj.com
        
        C:\Windows\system32\uvkypj.com 464 "C:\Windows\SysWOW64\hisijn.com"
        110⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        109⤵
        
        PID:1548

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:784

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:2820

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
- Runs .reg file with regedit
PID:1852

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
- Runs .reg file with regedit
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:2460

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:2132

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
- Modifies security service
PID:2000

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:1656

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:784

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:1604

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:704
- C:\Windows\SysWOW64\regedit.exe
  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
  2⤵
  - Runs .reg file with regedit
  PID:2804

C:\Windows\SysWOW64\hufayr.com
C:\Windows\system32\hufayr.com 468 "C:\Windows\SysWOW64\uvkypj.com"
1⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:1500

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:2188

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:872
- C:\Windows\SysWOW64\regedit.exe
  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
  2⤵
  PID:3044

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
- Modifies security service
PID:2504

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:1780

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:3188
- C:\Windows\SysWOW64\regedit.exe
  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
  2⤵
  PID:3632
- C:\Windows\SysWOW64\regedit.exe
  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
  2⤵
  PID:3008

C:\Windows\SysWOW64\pxmyqe.com
C:\Windows\system32\pxmyqe.com 520 "C:\Windows\SysWOW64\drcwun.com"
1⤵
PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\system32\sm1.bat
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    PID:2136
- C:\Windows\SysWOW64\ukfgcg.com
  C:\Windows\system32\ukfgcg.com 1492 "C:\Windows\SysWOW64\pxmyqe.com"
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\system32\sm1.bat
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      PID:3228
- - C:\Windows\SysWOW64\hxxwik.com
    C:\Windows\system32\hxxwik.com 972 "C:\Windows\SysWOW64\ukfgcg.com"
    3⤵
    PID:3272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\system32\sm1.bat
      4⤵
      PID:3328
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        
        PID:1352
  - - C:\Windows\SysWOW64\uzdlbw.com
      C:\Windows\system32\uzdlbw.com 948 "C:\Windows\SysWOW64\hxxwik.com"
      4⤵
      PID:3836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        5⤵
        
        PID:3912
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Runs .reg file with regedit
        
        PID:3240
    - - C:\Windows\SysWOW64\sgzmmn.com
        
        C:\Windows\system32\sgzmmn.com 528 "C:\Windows\SysWOW64\uzdlbw.com"
        5⤵
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        6⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        
        PID:3440
      - C:\Windows\SysWOW64\vqqjej.com
        
        C:\Windows\system32\vqqjej.com 1508 "C:\Windows\SysWOW64\sgzmmn.com"
        6⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        7⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\flruud.com
        
        C:\Windows\system32\flruud.com 1512 "C:\Windows\SysWOW64\vqqjej.com"
        7⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        8⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\pzsrkl.com
        
        C:\Windows\system32\pzsrkl.com 1516 "C:\Windows\SysWOW64\flruud.com"
        8⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        9⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\zywouj.com
        
        C:\Windows\system32\zywouj.com 1520 "C:\Windows\SysWOW64\pzsrkl.com"
        9⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        10⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        
        PID:2696
        
        C:\Windows\SysWOW64\mtnean.com
        
        C:\Windows\system32\mtnean.com 1528 "C:\Windows\SysWOW64\zywouj.com"
        10⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        11⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\wwdovq.com
        
        C:\Windows\system32\wwdovq.com 1524 "C:\Windows\SysWOW64\mtnean.com"
        11⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        12⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\gvhmgp.com
        
        C:\Windows\system32\gvhmgp.com 1532 "C:\Windows\SysWOW64\wwdovq.com"
        12⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\tukpop.com
        
        C:\Windows\system32\tukpop.com 1536 "C:\Windows\SysWOW64\gvhmgp.com"
        13⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        14⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        15⤵
        Runs .reg file with regedit
        
        PID:3360
        
        C:\Windows\SysWOW64\dpdzek.com
        
        C:\Windows\system32\dpdzek.com 1540 "C:\Windows\SysWOW64\tukpop.com"
        14⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        15⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\nssjrn.com
        
        C:\Windows\system32\nssjrn.com 1544 "C:\Windows\SysWOW64\dpdzek.com"
        15⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        16⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        17⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\xcpueq.com
        
        C:\Windows\system32\xcpueq.com 1548 "C:\Windows\SysWOW64\nssjrn.com"
        16⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        17⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\kpzkku.com
        
        C:\Windows\system32\kpzkku.com 1552 "C:\Windows\SysWOW64\xcpueq.com"
        17⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        18⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        19⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\pgeega.com
        
        C:\Windows\system32\pgeega.com 1556 "C:\Windows\SysWOW64\kpzkku.com"
        18⤵
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        19⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        20⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\zficyz.com
        
        C:\Windows\system32\zficyz.com 1560 "C:\Windows\SysWOW64\pgeega.com"
        19⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        20⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        21⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\mszsec.com
        
        C:\Windows\system32\mszsec.com 1564 "C:\Windows\SysWOW64\zficyz.com"
        20⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        21⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\rmhzvv.com
        
        C:\Windows\system32\rmhzvv.com 1568 "C:\Windows\SysWOW64\mszsec.com"
        21⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\bhiklp.com
        
        C:\Windows\system32\bhiklp.com 1500 "C:\Windows\SysWOW64\rmhzvv.com"
        22⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        23⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        Modifies security service
        
        PID:2764
        
        C:\Windows\SysWOW64\lsyuys.com
        
        C:\Windows\system32\lsyuys.com 1576 "C:\Windows\SysWOW64\bhiklp.com"
        23⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        24⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\nrksij.com
        
        C:\Windows\system32\nrksij.com 1096 "C:\Windows\SysWOW64\lsyuys.com"
        24⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        25⤵
        
        PID:560
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        26⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\dhvapb.com
        
        C:\Windows\system32\dhvapb.com 1584 "C:\Windows\SysWOW64\nrksij.com"
        25⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        26⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        27⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\qxqcyj.com
        
        C:\Windows\system32\qxqcyj.com 1588 "C:\Windows\SysWOW64\dhvapb.com"
        26⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        27⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        28⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\czwkrn.com
        
        C:\Windows\system32\czwkrn.com 1592 "C:\Windows\SysWOW64\qxqcyj.com"
        27⤵
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        28⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        29⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\mclueq.com
        
        C:\Windows\system32\mclueq.com 1596 "C:\Windows\SysWOW64\czwkrn.com"
        28⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        29⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        30⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\csfcla.com
        
        C:\Windows\system32\csfcla.com 1600 "C:\Windows\SysWOW64\mclueq.com"
        29⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        30⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        31⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\piafui.com
        
        C:\Windows\system32\piafui.com 1612 "C:\Windows\SysWOW64\csfcla.com"
        30⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        31⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        32⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\ztpphl.com
        
        C:\Windows\system32\ztpphl.com 1604 "C:\Windows\SysWOW64\piafui.com"
        31⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        32⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        33⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\mghfnp.com
        
        C:\Windows\system32\mghfnp.com 1608 "C:\Windows\SysWOW64\ztpphl.com"
        32⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        33⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        34⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\vuhclx.com
        
        C:\Windows\system32\vuhclx.com 1616 "C:\Windows\SysWOW64\mghfnp.com"
        33⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        34⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        35⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\ikcftx.com
        
        C:\Windows\system32\ikcftx.com 1620 "C:\Windows\SysWOW64\vuhclx.com"
        34⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        35⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        36⤵
        Modifies security service
        
        PID:1880
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        36⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\vbxicf.com
        
        C:\Windows\system32\vbxicf.com 1628 "C:\Windows\SysWOW64\ikcftx.com"
        35⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        36⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        37⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\izslln.com
        
        C:\Windows\system32\izslln.com 1624 "C:\Windows\SysWOW64\vbxicf.com"
        36⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        37⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        38⤵
        Modifies security service
        
        PID:3164
        
        C:\Windows\SysWOW64\plyqih.com
        
        C:\Windows\system32\plyqih.com 1632 "C:\Windows\SysWOW64\izslln.com"
        37⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        38⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        39⤵
        Runs .reg file with regedit
        
        PID:3200
        
        C:\Windows\SysWOW64\fxzlem.com
        
        C:\Windows\system32\fxzlem.com 1636 "C:\Windows\SysWOW64\plyqih.com"
        38⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        39⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        40⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\pdzact.com
        
        C:\Windows\system32\pdzact.com 1640 "C:\Windows\SysWOW64\fxzlem.com"
        39⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        40⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        41⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\ccudkc.com
        
        C:\Windows\system32\ccudkc.com 1644 "C:\Windows\SysWOW64\pdzact.com"
        40⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        41⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        42⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\ppmsqx.com
        
        C:\Windows\system32\ppmsqx.com 1648 "C:\Windows\SysWOW64\ccudkc.com"
        41⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\zoqyaw.com
        
        C:\Windows\system32\zoqyaw.com 968 "C:\Windows\SysWOW64\ppmsqx.com"
        42⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        43⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        44⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\gzwdxy.com
        
        C:\Windows\system32\gzwdxy.com 884 "C:\Windows\SysWOW64\zoqyaw.com"
        43⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\system32\sm1.bat
        42⤵
        
        PID:3516

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:3792

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
- Modifies security service
PID:3084

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:3876
- C:\Windows\SysWOW64\regedit.exe
  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
  2⤵
  PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:3188

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:2640
- C:\Windows\SysWOW64\regedit.exe
  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
  2⤵
  PID:3444

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:1656

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\system32\sm1.bat
1⤵
PID:3288
- C:\Windows\SysWOW64\regedit.exe
  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
  2⤵
  PID:3636

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
112B

MD5
a7784814f96f4d714d70f0a64afd3520

SHA1
4204eb27ed46350f6608fe1717bb8ef745b94732

SHA256
c0040494b6a8c2f40ab157ccc5be9e99cbb7bb285fa39131f340a8501758b0fc

SHA512
f4fbd4d6d571a2399b997269966623dcda83085a85476b4166dbe41c507519ded016a13f92e8a37c9ea5a8b756ed601fee302a6a8122f581efcd99771b975474

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
10B

MD5
c756b8eac93de58d57105a6c35adb50f

SHA1
b18d370dabc3c5b9e82d74f19bbc101a1be009f2

SHA256
853448e59c9bb7599fa8a5ff03a0b608781a02d41f58576f1192e0c48cb8d635

SHA512
09fbfe4a17b1fb6167c6889e5a0ab41cfef9e1372796e69c2558a50a002d9c1e2b0d81d45d7f96be9d02a8025d0ae276ecc01f135e9ccb04c301adcffd67d263

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5f6aefafda312b288b7d555c1fc36dc9

SHA1
f25e2fdea9dd714d0fae68af71cace7bb49302ce

SHA256
60f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a

SHA512
97f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
86B

MD5
81f2f44f6ecac84e6336cf272aff53bf

SHA1
24d388235609e7560066b834be91c5407b202b1f

SHA256
b6c9d291084087663b29aa58c8a14f13ec1cb80a499c6ae60cc71002b6376636

SHA512
44efc9c05c4cdeb189308e894734cef5c83b8be80850441989e45c29671facecb7be9504291a6947443da227b35555ecd933136e2e819c20c2ddeafcf01b87ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
703B

MD5
e2564fc59a86ea85b7485ab7288c68c4

SHA1
bc1544d9a03d1adafe399067ac32bf8d1cedbdb0

SHA256
68e8d8ef14bfbe96ebad3fb391fd4c1e57068a7f950dd31840884f6d58b078a8

SHA512
e09c6741d99ec41763e939aa39adb4e0f8508d37556c52251eec268849e85960da42ace7e9b82f1927de5bcf29ebec205189b113d2bb123025f3e6615b28ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
d085cde42c14e8ee2a5e8870d08aee42

SHA1
c8e967f1d301f97dbcf252d7e1677e590126f994

SHA256
a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

SHA512
de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
bf7ee07851e04b2a0dbe554db62dc3aa

SHA1
cad155b66053cd7ce2b969a0eb20a8f4812b1f46

SHA256
13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9

SHA512
9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
2299014e9ce921b7045e958d39d83e74

SHA1
26ed64f84417eb05d1d9d48441342ca1363084da

SHA256
ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57

SHA512
0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6dd7ad95427e77ae09861afd77104775

SHA1
81c2ffe8c63e71f013a07e5794473b60f50c0716

SHA256
8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2

SHA512
171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
8d6eb64e58d3f14686110fcaf1363269

SHA1
d85c0b208716b400894ba4cb569a5af4aa178a2f

SHA256
c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5

SHA512
5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
925B

MD5
0d1e5715cf04d212bcd7c9dea5f7ab72

SHA1
a8add44bf542e4d22260a13de6a35704fb7f3bfb

SHA256
5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473

SHA512
89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
f1cbbc2ce0d93c45a92edcc86780e9f0

SHA1
d893306caae2584cdeba4c80c3bfe18548fa227a

SHA256
6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7

SHA512
b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5002319f56002f8d7ceacecf8672ce25

SHA1
3b26b6801be4768cc7582e29bc93facdf2a74be3

SHA256
f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

SHA512
8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a57e37dfb6f88b2d04424936ed0b4afb

SHA1
35e2f81486b8420b88b7693ad3e92f846367cb12

SHA256
411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d

SHA512
41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5b77620cb52220f4a82e3551ee0a53a6

SHA1
07d122b8e70ec5887bad4ef8f4d6209df18912d0

SHA256
93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579

SHA512
9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d5e129352c8dd0032b51f34a2bbecad3

SHA1
a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a

SHA256
ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267

SHA512
9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
558e454bc2d99d7949719cf24f540dd2

SHA1
e9c772bcee4ae780cdc28b0b4876385639e59b39

SHA256
677ec2cfe2ae99352aa12ac658d01a7bb0b51cf3cd2c568e94a78754326ca43a

SHA512
5bb10dcf81ccab0b7e2274d3ccdbda5a38014576096fef71725cfa6e16a4bfd29f481f3bc5ad15426fb9918eeca67fff11291a88caf10974433214674c1c1b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
1c6131354c6987300ea512b765475b82

SHA1
2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53

SHA256
3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640

SHA512
b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
384B

MD5
c93c561465db53bf9a99759de9d25f07

SHA1
5386934828e2c2589bfe394ac1f03ffbfba93bfa

SHA256
32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

SHA512
bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
849B

MD5
558ce6da965ba1758d112b22e15aa5a2

SHA1
a365542609e4d1dc46be62928b08612fcabe2ede

SHA256
c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

SHA512
37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
851B

MD5
a13ff758fc4326eaa44582bc9700aead

SHA1
a4927b4a3b84526c5c42a077ade4652ab308f83f

SHA256
c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588

SHA512
86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f8a9a1aa9bab7821d25ae628e6d04f68

SHA1
c3e7a9ccc9805ae94aabfd16e2cb461fde3fae5a

SHA256
76ee7c489d11427af94d0334368ef2ed44df4a74984ffd4022c9ea9fae9c41fb

SHA512
0fb3a29367fa3c3eb36c6a7e9ff217ccdd7cce18309964aa7068a00f500ea4ea49588344ebbc52ae77d83e5042c3fdb84f56fa1dae07b8bb774aed6fffd18c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1024B

MD5
159bb1d34a927f58fc851798c7c09b58

SHA1
c3a26565004531f3a93e29eabb0f9a196b4c1ba2

SHA256
53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd

SHA512
b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
989c5352030fafd44b92adf4d4164738

SHA1
e02985c15eb20682115e3fc343f829e28770ed6c

SHA256
248c7793d113ca762bbe56b974f4c5902339dacb0b47ddd7c412340a623dfe38

SHA512
9ebcfc38952d968d608d68b2e8fbb56f5d02ed03e0e2d02661caeb50f804404d95fc45f22a8376ca88b69548c89c22b6c6a9acbb7fdcb5f6f906bd871b3465f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d8be0d42e512d922804552250f01eb90

SHA1
cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3

SHA256
901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82

SHA512
f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
1b2949b211ab497b739b1daf37cd4101

SHA1
12cad1063d28129ddd89e80acc2940f8dfbbaab3

SHA256
3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c

SHA512
a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
8c6aa92ac8ffdfb7a0fb3dafd14d65f1

SHA1
cac3992d696a99a5dec2ab1c824c816117414b16

SHA256
dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa

SHA512
f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5da7efcc8d0fcdf2bad7890c3f8a27ca

SHA1
681788d5a3044eee8426d431bd786375cd32bf13

SHA256
7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8

SHA512
6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
61ec72543aaac5c7b336d2b22f919c07

SHA1
5bddb1f73b24c2113e9bf8268640f75fb0f3bd8d

SHA256
088881ff28ef1240847decd884be366614865bf9660f862dbffa64d504467aea

SHA512
e8ed6c1813218a542e0449f6bcda47b9464f2445a5d4b20e20b657d5328eb9fd5ddf859e61794a0b3d32057590ac029064c078d5743fe1a316ca8fdf254f7f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
294976e85ad11a45853f99c1b208723f

SHA1
8d83101d69420b5af97ec517165d849d3ab498fc

SHA256
04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff

SHA512
e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
752fd85212d47da8f0adc29004a573b2

SHA1
fa8fe3ff766601db46412879dc13dbec8d055965

SHA256
9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e

SHA512
d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
117efa689c5631c1a1ee316f123182bd

SHA1
f477bf1e9f4db8452bd9fe314cd18715f7045689

SHA256
79ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7

SHA512
abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
54ca6e3ef1c12b994043e85a8c9895f0

SHA1
5eaccfb482cbe24cf5c3203ffdc926184097427e

SHA256
0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

SHA512
925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
bef09dc596b7b91eec4f38765e0965b7

SHA1
b8bb8d2eb918e0979b08fd1967dac127874b9de5

SHA256
8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265

SHA512
0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
683B

MD5
6fe56f6715b4c328bc5b2b35cb51c7e1

SHA1
8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3

SHA256
0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be

SHA512
8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
82fb85e6f9058c36d57abc2350ffee7e

SHA1
f52708d066380d42924513f697ab4ed5492f78b8

SHA256
0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

SHA512
27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
8a36f3bf3750851d8732b132fa330bb4

SHA1
1cb36be31f3d7d9439aac14af3d7a27f05a980eb

SHA256
5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9

SHA512
a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f708dcfd087b5b3763678cfb8d63735e

SHA1
a38fa7fa516c1402762425176ff1b607db36c752

SHA256
abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10

SHA512
fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6bf876cd9994f0d41be4eca36d22c42a

SHA1
50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

SHA256
ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

SHA512
605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ff6c57e8ec2b96b8da7fe900f1f3da1c

SHA1
a6f0dc2e2a0a46e1031017b81825173054bf76ae

SHA256
ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6

SHA512
c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
386B

MD5
4be01c629881eddccb675ba267a66899

SHA1
23324e7814bcd157b27e810f4c786b0c39bfc9b1

SHA256
39c14522925e5e55bf1eefcd5beb8b7aae687158163082aac7ef5690c3524a30

SHA512
7c3063badaa57e3a39eea5d87e6bdbeec00793f9afd2bea52d3aa354e0bbd83e2a63966438fe7305f29a0ee6f45cb77d4613fe2d3b4f6719e16860deae764d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
942B

MD5
4cee92ad10b11dbf325a40c64ff7d745

SHA1
b395313d0e979fede2261f8cc558fcebfefcae33

SHA256
eaeac48f16abac608c9bb5b8d0d363b2ca27708b262c1de41ab0f163c39a2fb1

SHA512
3f11992b0c8f7c6f0180f984392f86ea8eb1859be236e2bbfbc863226d3cac67b06700561f27fb673e2955c6ebc5b168dd28ca704de57c4f6c07bdbf14f75ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
978B

MD5
2e2266221550edce9a27c9060d5c2361

SHA1
f39f2d8f02f8b3a877d5969a81c4cb12679609f3

SHA256
e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb

SHA512
e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a437192517c26d96c8cee8d5a27dd560

SHA1
f665a3e5e5c141e4527509dffd30b0320aa8df6f

SHA256
d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23

SHA512
f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
3bd23392c6fcc866c4561388c1dc72ac

SHA1
c4b1462473f1d97fed434014532ea344b8fc05c1

SHA256
696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43

SHA512
15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
f31b2aa720a1c523c1e36a40ef21ee0d

SHA1
9c8089896c55e6e6a9cca99b1b98c544723d314e

SHA256
cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716

SHA512
a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
2b307765b7465ef5e4935f0ed7307c01

SHA1
c46a1947f8b2785114891f7905f663d9ae517f1b

SHA256
a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85

SHA512
fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
47985593a44ee38c64665b04cbd4b84c

SHA1
84900c2b2e116a7b744730733f63f2a38b4eb76e

SHA256
4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70

SHA512
abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
584f47a0068747b3295751a0d591f4ee

SHA1
7886a90e507c56d3a6105ecdfd9ff77939afa56f

SHA256
927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

SHA512
ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
360B

MD5
3a1a83c2ffad464e87a2f9a502b7b9f1

SHA1
4ffa65ecdd0455499c8cd6d05947605340cbf426

SHA256
73ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6

SHA512
8232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
b99b0dc7cab4e69d365783a5c4273a83

SHA1
5fcc44aa2631c923e9961266a2e0dbeaaabe84da

SHA256
1fc967a5c8f7859ba0c410978d165085f241195fe4a31d61a127e38c30d435e4

SHA512
495474416f5eccd40829d42f050464903273d564cb862b1bd0657262485e634b5d466363cac085406c6d830f42a2f7b5648818b2efe6db1a90833a4b90a6a14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a920eceddece6cf7f3487fd8e919af34

SHA1
a6dee2d31d4cbd1b18f5d3bc971521411a699889

SHA256
ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6

SHA512
a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
449B

MD5
c6b0028a6f5508ef564d624eda0e72bc

SHA1
18901c9856a9af672c2e27383c15d2da41f27b6b

SHA256
b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06

SHA512
5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
431B

MD5
9fa547ff360b09f7e093593af0b5a13b

SHA1
9debc99bb7450f59a7b09f16c0393e5c7a955ba4

SHA256
7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705

SHA512
30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
0bccb0cc2d0641cd0ac7ce17afe64b9f

SHA1
103f5bc2b153913e8a614a7abb43941fe90862a4

SHA256
cae50ec401dae988f1221cead7de58cf4301040fd9fbb8d1c4ad032034ee1842

SHA512
cce4edc7c607ca3969fb19f93a836d87170e2c50fcf136acb3bcb5500b99b1ae73a999b7d648a3643f58cf960b071b24215e1c59f874ca38a50cf1ef90b06389

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
274B

MD5
eee5718ce97d259fd8acec31375fc375

SHA1
989c64b0c9a049f1b7ad9e677c4566ab1559744f

SHA256
1975123645c58e5160d63cc6ab8430f9dd0bc70d5cddafccf3687d655730dcfb

SHA512
6c2e14846b20128ac8bea8470b4455fd4b65de7457c216824cfa7008fafa41c29445290de6780dc4f6f3beea97ec3137c02c9b7504877d6c845e573a7b7db610

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
701B

MD5
e427a32326a6a806e7b7b4fdbbe0ed4c

SHA1
b10626953332aeb7c524f2a29f47ca8b0bee38b1

SHA256
b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

SHA512
6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
206B

MD5
2d9f1ff716273d19e3f0d10a3cd8736f

SHA1
b4ca02834dd3f3489c5088d2157279d2be90f5ff

SHA256
9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623

SHA512
1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
574B

MD5
5020988c301a6bf0c54a293ddf64837c

SHA1
5b65e689a2988b9a739d53565b2a847f20d70f09

SHA256
a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d

SHA512
921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
3637baf389a0d79b412adb2a7f1b7d09

SHA1
f4b011a72f59cf98a325f12b7e40ddd0548ccc16

SHA256
835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba

SHA512
ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5bf31d7ea99b678c867ccdec344298aa

SHA1
2e548f54bf50d13993105c4f59bbeaeb87b17a68

SHA256
52be521b5509b444c0369ea7e69fc06b2d0b770cf600386c9a0178225ccdd281

SHA512
1bc82b65efe8c2be419748c8534210e7ad8cc8332ef87fb5df828eaebfdf630066ab3ad8d3ceeb82dee5ec4e680daff2748fcd4beaad8c71f1477b2ec7fe3564

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c2d6056624c1d37b1baf4445d8705378

SHA1
90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83

SHA256
3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96

SHA512
d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
e6d8af5aed642209c88269bf56af50ae

SHA1
633d40da997074dc0ed10938ebc49a3aeb3a7fc8

SHA256
550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec

SHA512
6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f82bc8865c1f6bf7125563479421f95c

SHA1
65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d

SHA256
f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6

SHA512
00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
fa83299c5a0d8714939977af6bdafa92

SHA1
46a4abab9b803a7361ab89d0ca000a367550e23c

SHA256
f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03

SHA512
85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5575ef034e791d4d3b09da6c0c4ee764

SHA1
50a0851ddf4b0c4014ad91f976e953baffe30951

SHA256
9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14

SHA512
ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
63ff40a70037650fd0acfd68314ffc94

SHA1
1ab29adec6714edf286485ac5889fddb1d092e93

SHA256
1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b

SHA512
2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
0a839c0e3eb1ed25e6211159e43f4df1

SHA1
a227a9322f58b8f40b2f6f326dca58145f599587

SHA256
717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0

SHA512
bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
c8441ec8a2edf9b2f4f631fe930ea4d9

SHA1
2855ee21116b427d280fcaa2471c9bd3d2957f6f

SHA256
dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184

SHA512
b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
831afd728dd974045c0654510071d405

SHA1
9484f4ee8e9eef0956553a59cfbcbe99a8822026

SHA256
03223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2

SHA512
ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5aa228bc61037ddaf7a22dab4a04e9a1

SHA1
b50fcd8f643ea748f989a06e38c778884b3c19f2

SHA256
65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b

SHA512
2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
7fe70731de9e888ca911baeb99ee503d

SHA1
0073da5273512f66dbf570580dc55957535c2478

SHA256
ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a

SHA512
4421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ad9e5e67282bb74482c05e3bf2eb188b

SHA1
10b02442ea4b1151a2334645c3e290a82ecfad1f

SHA256
7af82efceff1e9221d76472e6ffd6aa78ca00ccbb5fa32cb2238ed08812b931f

SHA512
b0ca37f35618547b4e5ab94eb367940a9d5a500b5c91cf2bbdddba8d1725bcc619c5acd2365711a970c307bbe0aa539b50803d119963b9f0c6da198e3157ded7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ffbb389d817acf25cc38799c239d512c

SHA1
8b4854ed9e257c3da9ec11d0f145805c6ae6193f

SHA256
f3aec599ccf14f9ee446772c26b24628ba08698be4dc66b5b54acd37d26b8e39

SHA512
382e043195d74ed0e0978dcac0db8bc962bc41f2cbd1a8a80c1a5a54cb8831b5e63a74bb3f69ccd9e241a47c1a79fcc7e7dad71696bf957a349a0f7e62247931

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
e78a2688839aaee80b2bfdc4639329c5

SHA1
818a0dd05493b075a9f2eaf063e64d5a653f470a

SHA256
bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d

SHA512
2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
6b0182442d6e09100c34904ae6d8ee0c

SHA1
6255e65587505629521ea048a4e40cc48b512f2c

SHA256
cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4

SHA512
64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
298B

MD5
4117e5a9c995bab9cd3bce3fc2b99a46

SHA1
80144ccbad81c2efb1df64e13d3d5f59ca4486da

SHA256
37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

SHA512
bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
538B

MD5
d67d51b859c99a46a906a4c3a6ff6560

SHA1
b685cc703a1c86ba8ad681b545a6f3014b80d585

SHA256
33d0a27d49cd3cfa5a4ef5027d3defe60a3f7be1a3914870390b9829d360937a

SHA512
c986416a115ca162ee28d5dfd1159538d81a751e4961340415718c0d1f0ffa4d80675b4b698ed039eef86cbe1b2c0b01a0004dea39111056013d3e0a0179cedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
476B

MD5
a5d4cddfecf34e5391a7a3df62312327

SHA1
04a3c708bab0c15b6746cf9dbf41a71c917a98b9

SHA256
8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a

SHA512
48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Windows\SysWOW64\sm1.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\juuezf.com

Filesize
98KB

MD5
ade99c01a1e92f6dc5c4a4bfec9649e3

SHA1
21a66edc54dcb6ec86007a7a696eb08b98ab36f6

SHA256
f007989340d051c2715bedb1bd5d4736cd90dde2453591e4614c3787dae9b126

SHA512
d86653c1c2a0b93648e379ee793c830db237385d9cee8718d2eb87a3aa46a5594d18029d54026f8dea02e24be31b87dc19eb2d9d4e786dfefe07998324df87e7

Download Submit
memory/352-6301-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/572-5082-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/580-1806-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/580-2045-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/588-4959-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/596-4717-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/600-5449-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/776-7029-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/904-6545-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/960-5692-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/976-298-0x0000000002910000-0x000000000299A000-memory.dmp

Filesize
552KB

Download
memory/976-419-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/976-306-0x0000000002910000-0x000000000299A000-memory.dmp

Filesize
552KB

Download
memory/976-286-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1032-1677-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1032-1440-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1032-1438-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1112-1692-0x00000000024A0000-0x000000000252A000-memory.dmp

Filesize
552KB

Download
memory/1112-1561-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1112-1563-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1112-1683-0x00000000024A0000-0x000000000252A000-memory.dmp

Filesize
552KB

Download
memory/1112-1801-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1240-3505-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1268-3632-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1268-3868-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1312-4110-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1404-273-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1404-290-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1404-280-0x00000000024E0000-0x000000000256A000-memory.dmp

Filesize
552KB

Download
memory/1488-7389-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1492-264-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1492-249-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1620-1923-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1620-1690-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1620-1813-0x0000000002500000-0x000000000258A000-memory.dmp

Filesize
552KB

Download
memory/1636-6909-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1640-1318-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1640-1555-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1640-1447-0x00000000024E0000-0x000000000256A000-memory.dmp

Filesize
552KB

Download
memory/1648-2670-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1648-2898-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1728-687-0x00000000027C0000-0x000000000284A000-memory.dmp

Filesize
552KB

Download
memory/1728-561-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1728-803-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1756-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1756-234-0x0000000000740000-0x00000000007CA000-memory.dmp

Filesize
552KB

Download
memory/1756-125-0x0000000000740000-0x00000000007CA000-memory.dmp

Filesize
552KB

Download
memory/1756-240-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1784-2179-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1784-2410-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1792-7148-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1804-3020-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1812-4231-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1820-926-0x0000000002750000-0x00000000027DA000-memory.dmp

Filesize
552KB

Download
memory/1820-693-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1820-931-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1836-261-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1836-276-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1852-2906-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1852-3142-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1852-2904-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1884-4595-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1920-6666-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1944-3032-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1944-3264-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2016-2050-0x00000000004D0000-0x000000000055A000-memory.dmp

Filesize
552KB

Download
memory/2016-2167-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2016-1930-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2016-1928-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2044-1056-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2044-938-0x0000000002540000-0x00000000025CA000-memory.dmp

Filesize
552KB

Download
memory/2044-812-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2060-7269-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2116-3149-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2116-3147-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2116-3383-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2120-546-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2120-312-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2280-4352-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2316-5204-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2328-1316-0x00000000027A0000-0x000000000282A000-memory.dmp

Filesize
552KB

Download
memory/2328-1432-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2328-1202-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2328-1195-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2392-434-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2392-675-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2404-947-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2404-1075-0x00000000025D0000-0x000000000265A000-memory.dmp

Filesize
552KB

Download
memory/2404-1185-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2404-1068-0x00000000025D0000-0x000000000265A000-memory.dmp

Filesize
552KB

Download
memory/2412-2052-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2412-2172-0x00000000006D0000-0x000000000075A000-memory.dmp

Filesize
552KB

Download
memory/2412-2287-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2432-7509-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2476-1309-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2476-1193-0x00000000004D0000-0x000000000055A000-memory.dmp

Filesize
552KB

Download
memory/2476-1136-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2492-5934-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2500-5327-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2516-2423-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2516-2546-0x0000000002440000-0x00000000024CA000-memory.dmp

Filesize
552KB

Download
memory/2516-2655-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2516-2653-0x0000000002440000-0x00000000024CA000-memory.dmp

Filesize
552KB

Download
memory/2604-6177-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2644-6422-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2656-2654-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2656-2777-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2656-2669-0x00000000025F0000-0x000000000267A000-memory.dmp

Filesize
552KB

Download
memory/2676-5570-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2684-2294-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2684-2296-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2684-2534-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2684-2416-0x0000000002840000-0x00000000028CA000-memory.dmp

Filesize
552KB

Download
memory/2684-2445-0x0000000002840000-0x00000000028CA000-memory.dmp

Filesize
552KB

Download
memory/2704-3623-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2704-3396-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2768-3990-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2796-6055-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2836-3630-0x00000000028B0000-0x000000000293A000-memory.dmp

Filesize
552KB

Download
memory/2836-3745-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2860-236-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2860-248-0x0000000002830000-0x00000000028BA000-memory.dmp

Filesize
552KB

Download
memory/2860-251-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2860-235-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2924-5813-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2956-4837-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3056-4474-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3064-6787-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads