netwire | fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa

Analysis

max time kernel
150s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
Size

283KB
MD5

6b5a574c81822c806e598fde5aad93fc
SHA1

afbdd84b379d5c392674f2a54bedf01f6f7f9f2b
SHA256

fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa
SHA512

5ac96dc5046f8408575c6f620129d4d211be178633ba405e20a0a329780c816396bc8ec41a277c09928cb37778fbf6fcf574539d268269ac26261d7ae7ea3cff
SSDEEP

6144:AoMdUh1RXAi/q7KtrDTWXWQGaeyLl2HWYkgSEXMEV9p:AjwJWX55mk

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

185.163.100.6:111

Attributes

activex_autorun
true
activex_key
{446644VO-124I-732R-6QR3-BBYQ1W40UCW2}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
YSxJvAQj
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 64 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4040-3-0x00000000023F0000-0x000000000243A000-memory.dmp	netwire
behavioral2/memory/2052-13-0x0000000005190000-0x00000000051DA000-memory.dmp	netwire
behavioral2/memory/4916-16-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4916-21-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4916-19-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1572-37-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2152-51-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4108-73-0x0000000005760000-0x00000000057AA000-memory.dmp	netwire
behavioral2/memory/412-109-0x00000000049B0000-0x00000000049FA000-memory.dmp	netwire
behavioral2/memory/2760-124-0x0000000004B60000-0x0000000004BAA000-memory.dmp	netwire
behavioral2/memory/4204-146-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1312-175-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4960-176-0x00000000058D0000-0x000000000591A000-memory.dmp	netwire
behavioral2/memory/472-219-0x00000000048D0000-0x000000000491A000-memory.dmp	netwire
behavioral2/memory/2364-250-0x0000000002870000-0x00000000028BA000-memory.dmp	netwire
behavioral2/memory/1048-256-0x0000000003070000-0x00000000030BA000-memory.dmp	netwire
behavioral2/memory/1456-271-0x00000000033C0000-0x000000000340A000-memory.dmp	netwire
behavioral2/memory/4064-293-0x0000000005660000-0x00000000056AA000-memory.dmp	netwire
behavioral2/memory/1440-303-0x00000000024C0000-0x000000000250A000-memory.dmp	netwire
behavioral2/memory/1032-337-0x0000000002E70000-0x0000000002EBA000-memory.dmp	netwire
behavioral2/memory/1172-396-0x0000000004B90000-0x0000000004BDA000-memory.dmp	netwire
behavioral2/memory/3936-416-0x0000000005190000-0x00000000051DA000-memory.dmp	netwire
behavioral2/memory/4308-440-0x0000000004EE0000-0x0000000004F2A000-memory.dmp	netwire
behavioral2/memory/1280-446-0x0000000003170000-0x00000000031BA000-memory.dmp	netwire
behavioral2/memory/4164-475-0x0000000002730000-0x000000000277A000-memory.dmp	netwire
behavioral2/memory/2460-511-0x0000000005810000-0x000000000585A000-memory.dmp	netwire
behavioral2/memory/3700-540-0x00000000053D0000-0x000000000541A000-memory.dmp	netwire
behavioral2/memory/4132-555-0x0000000004A20000-0x0000000004A6A000-memory.dmp	netwire
behavioral2/memory/2772-626-0x0000000000D30000-0x0000000000D7A000-memory.dmp	netwire
behavioral2/memory/4508-636-0x0000000004BA0000-0x0000000004BEA000-memory.dmp	netwire
behavioral2/memory/2388-686-0x00000000024C0000-0x000000000250A000-memory.dmp	netwire
behavioral2/memory/936-701-0x0000000004960000-0x00000000049AA000-memory.dmp	netwire
behavioral2/memory/3632-707-0x0000000002470000-0x00000000024BA000-memory.dmp	netwire
behavioral2/memory/672-736-0x0000000005620000-0x000000000566A000-memory.dmp	netwire
behavioral2/memory/4860-772-0x0000000004990000-0x00000000049DA000-memory.dmp	netwire
behavioral2/memory/412-775-0x0000000004E10000-0x0000000004E5A000-memory.dmp	netwire
behavioral2/memory/936-783-0x0000000002440000-0x000000000248A000-memory.dmp	netwire
behavioral2/memory/1756-812-0x00000000025A0000-0x00000000025EA000-memory.dmp	netwire
behavioral2/memory/2812-820-0x0000000004C40000-0x0000000004C8A000-memory.dmp	netwire
behavioral2/memory/2052-856-0x0000000004D40000-0x0000000004D8A000-memory.dmp	netwire
behavioral2/memory/2776-869-0x0000000002DD0000-0x0000000002E1A000-memory.dmp	netwire
behavioral2/memory/1804-956-0x0000000002F20000-0x0000000002F6A000-memory.dmp	netwire
behavioral2/memory/1484-959-0x0000000004FB0000-0x0000000004FFA000-memory.dmp	netwire
behavioral2/memory/2716-1009-0x0000000002C10000-0x0000000002C5A000-memory.dmp	netwire
behavioral2/memory/2628-1064-0x0000000002A60000-0x0000000002AAA000-memory.dmp	netwire
behavioral2/memory/4980-1095-0x0000000002420000-0x000000000246A000-memory.dmp	netwire
behavioral2/memory/1600-1143-0x0000000004A00000-0x0000000004A4A000-memory.dmp	netwire
behavioral2/memory/4552-1165-0x00000000028C0000-0x000000000290A000-memory.dmp	netwire
behavioral2/memory/4136-1173-0x0000000002FE0000-0x000000000302A000-memory.dmp	netwire
behavioral2/memory/4684-1190-0x0000000004FE0000-0x000000000502A000-memory.dmp	netwire
behavioral2/memory/956-1275-0x00000000054D0000-0x000000000551A000-memory.dmp	netwire
behavioral2/memory/3660-1290-0x0000000004B40000-0x0000000004B8A000-memory.dmp	netwire
behavioral2/memory/4408-1338-0x0000000002230000-0x000000000227A000-memory.dmp	netwire
behavioral2/memory/2852-1348-0x0000000001E10000-0x0000000001E5A000-memory.dmp	netwire
behavioral2/memory/1820-1363-0x0000000004C30000-0x0000000004C7A000-memory.dmp	netwire
behavioral2/memory/1740-1467-0x0000000002DA0000-0x0000000002DEA000-memory.dmp	netwire
behavioral2/memory/3732-1477-0x0000000005100000-0x000000000514A000-memory.dmp	netwire
behavioral2/memory/1704-1490-0x0000000002B60000-0x0000000002BAA000-memory.dmp	netwire
behavioral2/memory/2772-1500-0x0000000004ED0000-0x0000000004F1A000-memory.dmp	netwire
behavioral2/memory/3332-1515-0x0000000002410000-0x000000000245A000-memory.dmp	netwire
behavioral2/memory/1628-1668-0x0000000002830000-0x000000000287A000-memory.dmp	netwire
behavioral2/memory/1696-1727-0x0000000002BB0000-0x0000000002BFA000-memory.dmp	netwire
behavioral2/memory/2364-1775-0x00000000014D0000-0x000000000151A000-memory.dmp	netwire
behavioral2/memory/3664-1904-0x0000000002540000-0x000000000258A000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 64 IoCs

Processes:

file.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exefile.exeHost.exefile.exefile.exeHost.exefile.exefile.exefile.exefile.exeHost.exefile.exefile.exefile.exe

pid	process
2052	file.exe
4916	file.exe
1620	Host.exe
4504	file.exe
1572	file.exe
1544	Host.exe
1704	file.exe
2152	file.exe
2004	Host.exe
4460	file.exe
696	file.exe
2788	Host.exe
4108	file.exe
4312	file.exe
4652	Host.exe
3632	file.exe
4164	file.exe
4708	Host.exe
1136	file.exe
4220	file.exe
412	Host.exe
3260	file.exe
4968	file.exe
3824	file.exe
2760	Host.exe
3704	file.exe
4444	file.exe
2756	Host.exe
2008	file.exe
4204	file.exe
2024	Host.exe
4040	file.exe
4172	file.exe
2196	Host.exe
1116	file.exe
1860	file.exe
5040	Host.exe
1424	file.exe
1312	file.exe
4960	Host.exe
2760	file.exe
4036	file.exe
3004	Host.exe
2008	file.exe
3524	file.exe
4500	Host.exe
660	file.exe
4908	file.exe
4628	Host.exe
1116	file.exe
2968	file.exe
3356	file.exe
4832	Host.exe
3212	file.exe
4980	file.exe
4108	Host.exe
4332	file.exe
4924	file.exe
3168	file.exe
4312	file.exe
472	Host.exe
2064	file.exe
628	file.exe
4796	file.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

file.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exe

description	pid	process	target process
PID 2052 set thread context of 4916	2052	file.exe	file.exe
PID 4504 set thread context of 1572	4504	file.exe	file.exe
PID 1704 set thread context of 2152	1704	file.exe	file.exe
PID 4460 set thread context of 696	4460	file.exe	file.exe
PID 4108 set thread context of 4312	4108	file.exe	file.exe
PID 3632 set thread context of 4164	3632	file.exe	file.exe
PID 1136 set thread context of 4220	1136	file.exe	file.exe
PID 3260 set thread context of 3824	3260	file.exe	file.exe
PID 3704 set thread context of 4444	3704	file.exe	file.exe
PID 2008 set thread context of 4204	2008	file.exe	file.exe
PID 4040 set thread context of 4172	4040	file.exe	file.exe
PID 1116 set thread context of 1860	1116	file.exe	file.exe
PID 1424 set thread context of 1312	1424	file.exe	file.exe
PID 2760 set thread context of 4036	2760	file.exe	file.exe
PID 2008 set thread context of 3524	2008	file.exe	file.exe
PID 660 set thread context of 4908	660	file.exe	file.exe
PID 1116 set thread context of 3356	1116	file.exe	file.exe
PID 3212 set thread context of 4980	3212	file.exe	file.exe
PID 4332 set thread context of 4312	4332	file.exe	file.exe
PID 2064 set thread context of 4796	2064	file.exe	file.exe
PID 1160 set thread context of 3404	1160	file.exe	file.exe
PID 792 set thread context of 3704	792	file.exe	file.exe
PID 2760 set thread context of 4972	2760	file.exe	file.exe
PID 2364 set thread context of 4452	2364	file.exe	file.exe
PID 848 set thread context of 2220	848	file.exe	file.exe
PID 3260 set thread context of 5040	3260	file.exe	file.exe
PID 4492 set thread context of 4980	4492	file.exe	file.exe
PID 4444 set thread context of 212	4444	file.exe	file.exe
PID 2240 set thread context of 1592	2240	file.exe	file.exe
PID 3412 set thread context of 5084	3412	file.exe	file.exe
PID 1440 set thread context of 4520	1440	file.exe	file.exe
PID 4576 set thread context of 2516	4576	file.exe	file.exe
PID 1044 set thread context of 4832	1044	file.exe	file.exe
PID 3468 set thread context of 2616	3468	file.exe	file.exe
PID 2572 set thread context of 1984	2572	file.exe	file.exe
PID 2128 set thread context of 2108	2128	file.exe	file.exe
PID 5040 set thread context of 1540	5040	file.exe	file.exe
PID 1760 set thread context of 1052	1760	file.exe	file.exe
PID 4688 set thread context of 4816	4688	file.exe	file.exe
PID 2920 set thread context of 2964	2920	file.exe	file.exe
PID 4900 set thread context of 5036	4900	file.exe	file.exe
PID 4520 set thread context of 4092	4520	file.exe	file.exe
PID 1456 set thread context of 2480	1456	file.exe	file.exe
PID 1172 set thread context of 4452	1172	file.exe	file.exe
PID 3468 set thread context of 3076	3468	file.exe	file.exe
PID 4412 set thread context of 4800	4412	file.exe	file.exe
PID 892 set thread context of 4472	892	file.exe	file.exe
PID 1412 set thread context of 3636	1412	file.exe	file.exe
PID 4316 set thread context of 2232	4316	file.exe	file.exe
PID 4308 set thread context of 4284	4308	file.exe	file.exe
PID 2988 set thread context of 2220	2988	file.exe	file.exe
PID 1424 set thread context of 4976	1424	file.exe	file.exe
PID 2144 set thread context of 1232	2144	file.exe	file.exe
PID 460 set thread context of 1760	460	file.exe	file.exe
PID 2376 set thread context of 3024	2376	file.exe	file.exe
PID 4504 set thread context of 2220	4504	file.exe	file.exe
PID 3864 set thread context of 2548	3864	file.exe	file.exe
PID 4172 set thread context of 2016	4172	file.exe	file.exe
PID 3440 set thread context of 3388	3440	file.exe	file.exe
PID 4704 set thread context of 776	4704	file.exe	file.exe
PID 2968 set thread context of 1768	2968	file.exe	file.exe
PID 5036 set thread context of 2520	5036	file.exe	file.exe
PID 852 set thread context of 4960	852	file.exe	file.exe
PID 3988 set thread context of 1988	3988	file.exe	file.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exeHost.exefile.exe

description	pid	process
Token: SeDebugPrivilege	4040	6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
Token: SeDebugPrivilege	2052	file.exe
Token: SeDebugPrivilege	1620	Host.exe
Token: SeDebugPrivilege	4504	file.exe
Token: SeDebugPrivilege	1544	Host.exe
Token: SeDebugPrivilege	1704	file.exe
Token: SeDebugPrivilege	2004	Host.exe
Token: SeDebugPrivilege	4460	file.exe
Token: SeDebugPrivilege	2788	Host.exe
Token: SeDebugPrivilege	4108	file.exe
Token: SeDebugPrivilege	4652	Host.exe
Token: SeDebugPrivilege	3632	file.exe
Token: SeDebugPrivilege	4708	Host.exe
Token: SeDebugPrivilege	1136	file.exe
Token: SeDebugPrivilege	412	Host.exe
Token: SeDebugPrivilege	3260	file.exe
Token: SeDebugPrivilege	2760	Host.exe
Token: SeDebugPrivilege	3704	file.exe
Token: SeDebugPrivilege	2756	Host.exe
Token: SeDebugPrivilege	2008	file.exe
Token: SeDebugPrivilege	2024	Host.exe
Token: SeDebugPrivilege	4040	file.exe
Token: SeDebugPrivilege	2196	Host.exe
Token: SeDebugPrivilege	1116	file.exe
Token: SeDebugPrivilege	5040	Host.exe
Token: SeDebugPrivilege	1424	file.exe
Token: SeDebugPrivilege	4960	Host.exe
Token: SeDebugPrivilege	2760	file.exe
Token: SeDebugPrivilege	3004	Host.exe
Token: SeDebugPrivilege	2008	file.exe
Token: SeDebugPrivilege	4500	Host.exe
Token: SeDebugPrivilege	660	file.exe
Token: SeDebugPrivilege	4628	Host.exe
Token: SeDebugPrivilege	1116	file.exe
Token: SeDebugPrivilege	4832	Host.exe
Token: SeDebugPrivilege	3212	file.exe
Token: SeDebugPrivilege	4108	Host.exe
Token: SeDebugPrivilege	4332	file.exe
Token: SeDebugPrivilege	472	Host.exe
Token: SeDebugPrivilege	2064	file.exe
Token: SeDebugPrivilege	3520	Host.exe
Token: SeDebugPrivilege	1160	file.exe
Token: SeDebugPrivilege	3228	Host.exe
Token: SeDebugPrivilege	792	file.exe
Token: SeDebugPrivilege	4832	Host.exe
Token: SeDebugPrivilege	2760	file.exe
Token: SeDebugPrivilege	4420	Host.exe
Token: SeDebugPrivilege	2364	file.exe
Token: SeDebugPrivilege	1048	Host.exe
Token: SeDebugPrivilege	848	file.exe
Token: SeDebugPrivilege	3672	Host.exe
Token: SeDebugPrivilege	3260	file.exe
Token: SeDebugPrivilege	1456	Host.exe
Token: SeDebugPrivilege	4492	file.exe
Token: SeDebugPrivilege	3212	Host.exe
Token: SeDebugPrivilege	4444	file.exe
Token: SeDebugPrivilege	4924	Host.exe
Token: SeDebugPrivilege	2240	file.exe
Token: SeDebugPrivilege	4064	Host.exe
Token: SeDebugPrivilege	3412	file.exe
Token: SeDebugPrivilege	1048	Host.exe
Token: SeDebugPrivilege	1440	file.exe
Token: SeDebugPrivilege	3672	Host.exe
Token: SeDebugPrivilege	4576	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.execmd.exefile.execmd.exefile.exeHost.execmd.exefile.execmd.exefile.exeHost.execmd.exefile.execmd.exe

description	pid	process	target process
PID 4040 wrote to memory of 1140	4040	6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe	cmd.exe
PID 4040 wrote to memory of 1140	4040	6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe	cmd.exe
PID 4040 wrote to memory of 1140	4040	6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 2052	1140	cmd.exe	file.exe
PID 1140 wrote to memory of 2052	1140	cmd.exe	file.exe
PID 1140 wrote to memory of 2052	1140	cmd.exe	file.exe
PID 2052 wrote to memory of 1360	2052	file.exe	cmd.exe
PID 2052 wrote to memory of 1360	2052	file.exe	cmd.exe
PID 2052 wrote to memory of 1360	2052	file.exe	cmd.exe
PID 1360 wrote to memory of 2232	1360	cmd.exe	reg.exe
PID 1360 wrote to memory of 2232	1360	cmd.exe	reg.exe
PID 1360 wrote to memory of 2232	1360	cmd.exe	reg.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 2052 wrote to memory of 4916	2052	file.exe	file.exe
PID 4916 wrote to memory of 1620	4916	file.exe	Host.exe
PID 4916 wrote to memory of 1620	4916	file.exe	Host.exe
PID 4916 wrote to memory of 1620	4916	file.exe	Host.exe
PID 1620 wrote to memory of 4984	1620	Host.exe	cmd.exe
PID 1620 wrote to memory of 4984	1620	Host.exe	cmd.exe
PID 1620 wrote to memory of 4984	1620	Host.exe	cmd.exe
PID 4984 wrote to memory of 4504	4984	cmd.exe	file.exe
PID 4984 wrote to memory of 4504	4984	cmd.exe	file.exe
PID 4984 wrote to memory of 4504	4984	cmd.exe	file.exe
PID 4504 wrote to memory of 628	4504	file.exe	cmd.exe
PID 4504 wrote to memory of 628	4504	file.exe	cmd.exe
PID 4504 wrote to memory of 628	4504	file.exe	cmd.exe
PID 628 wrote to memory of 2304	628	cmd.exe	reg.exe
PID 628 wrote to memory of 2304	628	cmd.exe	reg.exe
PID 628 wrote to memory of 2304	628	cmd.exe	reg.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 4504 wrote to memory of 1572	4504	file.exe	file.exe
PID 1572 wrote to memory of 1544	1572	file.exe	Host.exe
PID 1572 wrote to memory of 1544	1572	file.exe	Host.exe
PID 1572 wrote to memory of 1544	1572	file.exe	Host.exe
PID 1544 wrote to memory of 4684	1544	Host.exe	cmd.exe
PID 1544 wrote to memory of 4684	1544	Host.exe	cmd.exe
PID 1544 wrote to memory of 4684	1544	Host.exe	cmd.exe
PID 4684 wrote to memory of 1704	4684	cmd.exe	file.exe
PID 4684 wrote to memory of 1704	4684	cmd.exe	file.exe
PID 4684 wrote to memory of 1704	4684	cmd.exe	file.exe
PID 1704 wrote to memory of 392	1704	file.exe	cmd.exe
PID 1704 wrote to memory of 392	1704	file.exe	cmd.exe
PID 1704 wrote to memory of 392	1704	file.exe	cmd.exe
PID 392 wrote to memory of 4948	392	cmd.exe	reg.exe
PID 392 wrote to memory of 4948	392	cmd.exe	reg.exe
PID 392 wrote to memory of 4948	392	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\cmd.exe
"cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
5⤵
PID:2232

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\cmd.exe
"cmd"
6⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\cmd.exe
"cmd"
8⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
9⤵
- Adds Run key to start application
PID:2304

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\cmd.exe
"cmd"
10⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
"cmd"
12⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
13⤵
PID:4948

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
12⤵
- Executes dropped EXE
PID:2152

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\cmd.exe
"cmd"
14⤵
PID:4180

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\cmd.exe
"cmd"
16⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
17⤵
PID:4700

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
16⤵
- Executes dropped EXE
PID:696

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\cmd.exe
"cmd"
18⤵
PID:3332

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\SysWOW64\cmd.exe
"cmd"
20⤵
PID:184

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
21⤵
- Adds Run key to start application
PID:4364

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
20⤵
- Executes dropped EXE
PID:4312

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\SysWOW64\cmd.exe
"cmd"
22⤵
PID:2792

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\SysWOW64\cmd.exe
"cmd"
24⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
25⤵
PID:3912

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
24⤵
- Executes dropped EXE
PID:4164

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\cmd.exe
"cmd"
26⤵
PID:4796

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\cmd.exe
"cmd"
28⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
29⤵
PID:660

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
28⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\SysWOW64\cmd.exe
"cmd"
30⤵
PID:1860

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\cmd.exe
"cmd"
32⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
33⤵
- Adds Run key to start application
PID:3060

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
32⤵
- Executes dropped EXE
PID:4968

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
32⤵
- Executes dropped EXE
PID:3824

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\cmd.exe
"cmd"
34⤵
PID:4832

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\SysWOW64\cmd.exe
"cmd"
36⤵
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
37⤵
- Adds Run key to start application
PID:4492

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
36⤵
- Executes dropped EXE
PID:4444

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\cmd.exe
"cmd"
38⤵
PID:2040

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\cmd.exe
"cmd"
40⤵
PID:472

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
41⤵
PID:2748

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
40⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\SysWOW64\cmd.exe
"cmd"
42⤵
PID:3536

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\SysWOW64\cmd.exe
"cmd"
44⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
45⤵
PID:848

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
44⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\cmd.exe
"cmd"
46⤵
PID:5100

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\cmd.exe
"cmd"
48⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
49⤵
- Adds Run key to start application
PID:3672

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
48⤵
- Executes dropped EXE
PID:1860

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\cmd.exe
"cmd"
50⤵
PID:2968

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\cmd.exe
"cmd"
52⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
53⤵
PID:1372

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
52⤵
- Executes dropped EXE
PID:1312

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\SysWOW64\cmd.exe
"cmd"
54⤵
PID:1540

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\cmd.exe
"cmd"
56⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
57⤵
PID:460

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
56⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\SysWOW64\cmd.exe
"cmd"
58⤵
PID:1592

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\cmd.exe
"cmd"
60⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
61⤵
PID:4816

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
60⤵
- Executes dropped EXE
PID:3524

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\SysWOW64\cmd.exe
"cmd"
62⤵
PID:4340

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\cmd.exe
"cmd"
64⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
65⤵
PID:1392

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
64⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
65⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\SysWOW64\cmd.exe
"cmd"
66⤵
PID:4220

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
67⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\cmd.exe
"cmd"
68⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
69⤵
PID:3860

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
68⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
68⤵
- Executes dropped EXE
PID:3356

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
69⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\cmd.exe
"cmd"
70⤵
PID:5040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1424

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
71⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SysWOW64\cmd.exe
"cmd"
72⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
73⤵
PID:4576

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
72⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
73⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\SysWOW64\cmd.exe
"cmd"
74⤵
PID:852

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
75⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\cmd.exe
"cmd"
76⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
77⤵
- Adds Run key to start application
PID:1484

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
76⤵
- Executes dropped EXE
PID:4924

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
76⤵
- Executes dropped EXE
PID:3168

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
76⤵
- Executes dropped EXE
PID:4312

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
77⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\SysWOW64\cmd.exe
"cmd"
78⤵
PID:4652

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
79⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\cmd.exe
"cmd"
80⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
81⤵
PID:2764

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
80⤵
- Executes dropped EXE
PID:628

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
80⤵
- Executes dropped EXE
PID:4796

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SysWOW64\cmd.exe
"cmd"
82⤵
PID:3672

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
83⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\cmd.exe
"cmd"
84⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
85⤵
PID:3668

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
84⤵
PID:3060

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
84⤵
PID:3860

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
84⤵
PID:3404

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
85⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\cmd.exe
"cmd"
86⤵
PID:4132

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
87⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\SysWOW64\cmd.exe
"cmd"
88⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
89⤵
PID:1768

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
88⤵
PID:3704

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
89⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\cmd.exe
"cmd"
90⤵
PID:4960

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
91⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\cmd.exe
"cmd"
92⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
93⤵
PID:1760

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
92⤵
PID:4972

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
93⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SysWOW64\cmd.exe
"cmd"
94⤵
PID:4192

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
95⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\cmd.exe
"cmd"
96⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
97⤵
PID:2232

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
96⤵
PID:4452

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
97⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\cmd.exe
"cmd"
98⤵
PID:3340

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
99⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\cmd.exe
"cmd"
100⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
101⤵
PID:5048

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
100⤵
PID:2220

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
101⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\SysWOW64\cmd.exe
"cmd"
102⤵
PID:3904

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
103⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\cmd.exe
"cmd"
104⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
105⤵
PID:1012

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
104⤵
PID:5040

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
105⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\cmd.exe
"cmd"
106⤵
PID:3800

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
107⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\SysWOW64\cmd.exe
"cmd"
108⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
109⤵
PID:1804

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
108⤵
PID:4980

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
109⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SysWOW64\cmd.exe
"cmd"
110⤵
PID:2480

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
111⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SysWOW64\cmd.exe
"cmd"
112⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
113⤵
PID:4912

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
112⤵
PID:1764

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
112⤵
PID:212

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
113⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\cmd.exe
"cmd"
114⤵
PID:2864

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
115⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWOW64\cmd.exe
"cmd"
116⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
117⤵
PID:4452

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
116⤵
PID:1592

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
117⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\cmd.exe
"cmd"
118⤵
PID:2572

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
119⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\SysWOW64\cmd.exe
"cmd"
120⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
121⤵
PID:4656

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
120⤵
PID:3024

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
120⤵
PID:5084

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
121⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\cmd.exe
"cmd"
122⤵
PID:3644

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
123⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SysWOW64\cmd.exe
"cmd"
124⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
125⤵
PID:1160

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
124⤵
PID:4520

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
125⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\SysWOW64\cmd.exe
"cmd"
126⤵
PID:2548

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
127⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\SysWOW64\cmd.exe
"cmd"
128⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
129⤵
PID:444

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
128⤵
PID:2516

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
129⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
"cmd"
130⤵
PID:3668

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
131⤵
- Suspicious use of SetThreadContext
PID:1044

C:\Windows\SysWOW64\cmd.exe
"cmd"
132⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
133⤵
PID:1232

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
132⤵
PID:4832

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
133⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
"cmd"
134⤵
PID:4012

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
135⤵
- Suspicious use of SetThreadContext
PID:3468

C:\Windows\SysWOW64\cmd.exe
"cmd"
136⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
137⤵
- Adds Run key to start application
PID:3004

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
136⤵
PID:2616

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
137⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
"cmd"
138⤵
PID:1244

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
139⤵
- Suspicious use of SetThreadContext
PID:2572

C:\Windows\SysWOW64\cmd.exe
"cmd"
140⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
141⤵
- Adds Run key to start application
PID:4780

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
140⤵
PID:1984

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
141⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
"cmd"
142⤵
PID:2144

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
143⤵
- Suspicious use of SetThreadContext
PID:2128

C:\Windows\SysWOW64\cmd.exe
"cmd"
144⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
145⤵
PID:2816

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
144⤵
PID:2108

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
145⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
"cmd"
146⤵
PID:216

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
147⤵
- Suspicious use of SetThreadContext
PID:5040

C:\Windows\SysWOW64\cmd.exe
"cmd"
148⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
149⤵
PID:3992

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
148⤵
PID:1540

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
149⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
"cmd"
150⤵
PID:4980

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
151⤵
- Suspicious use of SetThreadContext
PID:1760

C:\Windows\SysWOW64\cmd.exe
"cmd"
152⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
153⤵
PID:2760

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
152⤵
PID:3916

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
152⤵
PID:1836

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
152⤵
PID:2248

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
152⤵
PID:1052

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
153⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
"cmd"
154⤵
PID:4592

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
155⤵
- Suspicious use of SetThreadContext
PID:4688

C:\Windows\SysWOW64\cmd.exe
"cmd"
156⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
157⤵
PID:3004

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
156⤵
PID:4816

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
157⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
"cmd"
158⤵
PID:4660

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
159⤵
- Suspicious use of SetThreadContext
PID:2920

C:\Windows\SysWOW64\cmd.exe
"cmd"
160⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
161⤵
- Adds Run key to start application
PID:3204

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
160⤵
PID:2964

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
161⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
"cmd"
162⤵
PID:4724

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
163⤵
- Suspicious use of SetThreadContext
PID:4900

C:\Windows\SysWOW64\cmd.exe
"cmd"
164⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
165⤵
- Adds Run key to start application
PID:4488

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
164⤵
PID:5036

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
165⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
"cmd"
166⤵
PID:2108

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
167⤵
- Suspicious use of SetThreadContext
PID:4520

C:\Windows\SysWOW64\cmd.exe
"cmd"
168⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
169⤵
PID:3704

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
168⤵
PID:2028

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
168⤵
PID:4092

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
169⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
"cmd"
170⤵
PID:4172

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
171⤵
- Suspicious use of SetThreadContext
PID:1456

C:\Windows\SysWOW64\cmd.exe
"cmd"
172⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
173⤵
PID:2300

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
172⤵
PID:2480

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
173⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
"cmd"
174⤵
PID:2792

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
175⤵
- Suspicious use of SetThreadContext
PID:1172

C:\Windows\SysWOW64\cmd.exe
"cmd"
176⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
177⤵
- Adds Run key to start application
PID:4420

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
176⤵
PID:4452

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
177⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
"cmd"
178⤵
PID:1652

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
179⤵
- Suspicious use of SetThreadContext
PID:3468

C:\Windows\SysWOW64\cmd.exe
"cmd"
180⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
181⤵
PID:4704

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
180⤵
PID:3076

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
181⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
"cmd"
182⤵
PID:4964

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
183⤵
- Suspicious use of SetThreadContext
PID:4412

C:\Windows\SysWOW64\cmd.exe
"cmd"
184⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
185⤵
PID:4508

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
184⤵
PID:4800

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
185⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
"cmd"
186⤵
PID:3332

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
187⤵
- Suspicious use of SetThreadContext
PID:892

C:\Windows\SysWOW64\cmd.exe
"cmd"
188⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
189⤵
PID:372

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
188⤵
PID:3628

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
188⤵
PID:4472

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
189⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
"cmd"
190⤵
PID:1148

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
191⤵
- Suspicious use of SetThreadContext
PID:1412

C:\Windows\SysWOW64\cmd.exe
"cmd"
192⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
193⤵
PID:3612

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
192⤵
PID:3664

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
192⤵
PID:3636

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
193⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
"cmd"
194⤵
PID:2016

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
195⤵
- Suspicious use of SetThreadContext
PID:4316

C:\Windows\SysWOW64\cmd.exe
"cmd"
196⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
197⤵
PID:2364

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
196⤵
PID:3524

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
196⤵
PID:2232

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
197⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
"cmd"
198⤵
PID:3940

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
199⤵
- Suspicious use of SetThreadContext
PID:4308

C:\Windows\SysWOW64\cmd.exe
"cmd"
200⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
201⤵
PID:1244

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
200⤵
PID:4284

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
201⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
"cmd"
202⤵
PID:796

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
203⤵
- Suspicious use of SetThreadContext
PID:2988

C:\Windows\SysWOW64\cmd.exe
"cmd"
204⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
205⤵
PID:2072

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
204⤵
PID:392

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
204⤵
PID:2220

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
205⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
"cmd"
206⤵
PID:3904

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
207⤵
- Suspicious use of SetThreadContext
PID:1424

C:\Windows\SysWOW64\cmd.exe
"cmd"
208⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
209⤵
- Adds Run key to start application
PID:2108

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
208⤵
PID:4976

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
209⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
"cmd"
210⤵
PID:3984

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
211⤵
- Suspicious use of SetThreadContext
PID:2144

C:\Windows\SysWOW64\cmd.exe
"cmd"
212⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
213⤵
PID:1740

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
212⤵
PID:4392

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
212⤵
PID:1232

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
213⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
"cmd"
214⤵
PID:2972

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
215⤵
- Suspicious use of SetThreadContext
PID:460

C:\Windows\SysWOW64\cmd.exe
"cmd"
216⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
217⤵
- Adds Run key to start application
PID:1720

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
216⤵
PID:1988

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
216⤵
PID:1760

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
217⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
"cmd"
218⤵
PID:1864

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
219⤵
- Suspicious use of SetThreadContext
PID:2376

C:\Windows\SysWOW64\cmd.exe
"cmd"
220⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
221⤵
PID:3340

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
220⤵
PID:3940

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
220⤵
PID:3024

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
221⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
"cmd"
222⤵
PID:1012

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
223⤵
- Suspicious use of SetThreadContext
PID:4504

C:\Windows\SysWOW64\cmd.exe
"cmd"
224⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
225⤵
PID:2988

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
224⤵
PID:2220

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
225⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
"cmd"
226⤵
PID:4304

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
227⤵
- Suspicious use of SetThreadContext
PID:3864

C:\Windows\SysWOW64\cmd.exe
"cmd"
228⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
229⤵
- Adds Run key to start application
PID:5040

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
228⤵
PID:2028

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
228⤵
PID:2548

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
229⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
"cmd"
230⤵
PID:4288

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
231⤵
- Suspicious use of SetThreadContext
PID:4172

C:\Windows\SysWOW64\cmd.exe
"cmd"
232⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
233⤵
PID:4832

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
232⤵
PID:3860

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
232⤵
PID:2016

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
233⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
"cmd"
234⤵
PID:3004

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
235⤵
- Suspicious use of SetThreadContext
PID:3440

C:\Windows\SysWOW64\cmd.exe
"cmd"
236⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
237⤵
PID:3948

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
236⤵
PID:1476

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
236⤵
PID:3388

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
237⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
"cmd"
238⤵
PID:2772

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
239⤵
- Suspicious use of SetThreadContext
PID:4704

C:\Windows\SysWOW64\cmd.exe
"cmd"
240⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
241⤵
PID:2376

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
240⤵
PID:776

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
241⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
"cmd"
242⤵
PID:3076

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
243⤵
- Suspicious use of SetThreadContext
PID:2968

C:\Windows\SysWOW64\cmd.exe
"cmd"
244⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
245⤵
PID:5084

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
244⤵
PID:1768

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
245⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
"cmd"
246⤵
PID:1704

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
247⤵
- Suspicious use of SetThreadContext
PID:5036

C:\Windows\SysWOW64\cmd.exe
"cmd"
248⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
249⤵
PID:1540

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
248⤵
PID:2520

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
249⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
"cmd"
250⤵
PID:2548

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
251⤵
- Suspicious use of SetThreadContext
PID:852

C:\Windows\SysWOW64\cmd.exe
"cmd"
252⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
253⤵
PID:1276

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
252⤵
PID:1052

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
252⤵
PID:4960

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
253⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
"cmd"
254⤵
PID:4348

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
255⤵
- Suspicious use of SetThreadContext
PID:3988

C:\Windows\SysWOW64\cmd.exe
"cmd"
256⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
257⤵
PID:4652

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
256⤵
PID:4360

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
256⤵
PID:1988

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
257⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
"cmd"
258⤵
PID:1168

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
259⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
"cmd"
260⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
261⤵
PID:552

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
260⤵
PID:2772

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
261⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
"cmd"
262⤵
PID:1984

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
263⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd"
264⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
265⤵
PID:4628

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
264⤵
PID:1440

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
265⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
"cmd"
266⤵
PID:4552

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
267⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
"cmd"
268⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
269⤵
PID:4100

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
268⤵
PID:3100

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
269⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
"cmd"
270⤵
PID:3336

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
271⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
"cmd"
272⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
273⤵
- Adds Run key to start application
PID:1676

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
272⤵
PID:1232

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
273⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
"cmd"
274⤵
PID:2028

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
275⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
"cmd"
276⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
277⤵
PID:2268

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
276⤵
PID:4452

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
276⤵
PID:3848

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
277⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
"cmd"
278⤵
PID:2812

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
279⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
"cmd"
280⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
281⤵
PID:4688

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
280⤵
PID:4284

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
281⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
"cmd"
282⤵
PID:4964

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
283⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
"cmd"
284⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
285⤵
- Adds Run key to start application
PID:1012

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
284⤵
PID:2988

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
285⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
"cmd"
286⤵
PID:372

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
287⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
"cmd"
288⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
289⤵
PID:1372

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
288⤵
PID:4336

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
289⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
"cmd"
290⤵
PID:4256

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
291⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
"cmd"
292⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
293⤵
- Adds Run key to start application
PID:3452

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
292⤵
PID:4308

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
292⤵
PID:752

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
292⤵
PID:4908

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
292⤵
PID:2528

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
293⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
"cmd"
294⤵
PID:3612

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
295⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
"cmd"
296⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
297⤵
PID:4452

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
296⤵
PID:1216

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
296⤵
PID:3668

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
296⤵
PID:1764

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
297⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
"cmd"
298⤵
PID:460

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
299⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
"cmd"
300⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
301⤵
- Adds Run key to start application
PID:3372

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
300⤵
PID:3340

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
300⤵
PID:4284

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
301⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
"cmd"
302⤵
PID:2064

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
303⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
"cmd"
304⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
305⤵
- Adds Run key to start application
PID:2220

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
304⤵
PID:3876

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
305⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
"cmd"
306⤵
PID:4092

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
307⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
"cmd"
308⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
309⤵
PID:1420

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
308⤵
PID:3904

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
309⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
"cmd"
310⤵
PID:1836

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
311⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
"cmd"
312⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
313⤵
PID:1804

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
312⤵
PID:4592

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
313⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
"cmd"
314⤵
PID:2972

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
315⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
"cmd"
316⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
317⤵
PID:4328

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
316⤵
PID:3848

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
316⤵
PID:1456

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
317⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
"cmd"
318⤵
PID:3988

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
319⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
"cmd"
320⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
321⤵
PID:1744

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
320⤵
PID:4072

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
320⤵
PID:2572

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
321⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
"cmd"
322⤵
PID:2012

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
323⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
"cmd"
324⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
325⤵
PID:2628

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
324⤵
PID:2980

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
325⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
"cmd"
326⤵
PID:1760

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
327⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
"cmd"
328⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
329⤵
- Adds Run key to start application
PID:4556

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
328⤵
PID:1484

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
328⤵
PID:4912

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
329⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
"cmd"
330⤵
PID:4508

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
331⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
"cmd"
332⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
333⤵
- Adds Run key to start application
PID:3908

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
332⤵
PID:3100

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
332⤵
PID:1836

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
333⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
"cmd"
334⤵
PID:4204

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
335⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
"cmd"
336⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
337⤵
PID:3004

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
336⤵
PID:2616

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
337⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
"cmd"
338⤵
PID:3848

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
339⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
"cmd"
340⤵
PID:516

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
341⤵
PID:1308

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
340⤵
PID:4656

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
341⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
"cmd"
342⤵
PID:2052

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
343⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
"cmd"
344⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
345⤵
PID:1992

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
344⤵
PID:1160

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
344⤵
PID:2772

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
344⤵
PID:4488

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
344⤵
PID:4132

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
344⤵
PID:1172

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
345⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
"cmd"
346⤵
PID:796

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
347⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
"cmd"
348⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
349⤵
PID:1672

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
348⤵
PID:1584

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
349⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
"cmd"
350⤵
PID:2044

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
351⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
"cmd"
352⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
353⤵
PID:3336

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
352⤵
PID:3916

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
353⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
"cmd"
354⤵
PID:1676

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
355⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
"cmd"
356⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
357⤵
PID:4392

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
356⤵
PID:4652

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
356⤵
PID:4576

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
357⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
"cmd"
358⤵
PID:2888

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
359⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
"cmd"
360⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
361⤵
- Adds Run key to start application
PID:1744

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
360⤵
PID:1592

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
361⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
"cmd"
362⤵
PID:2376

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
363⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
"cmd"
364⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
365⤵
PID:4704

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
364⤵
PID:2764

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
364⤵
PID:1236

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
365⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
"cmd"
366⤵
PID:1784

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
367⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
"cmd"
368⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
369⤵
PID:2240

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
368⤵
PID:4416

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
369⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
"cmd"
370⤵
PID:1244

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
371⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
"cmd"
372⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
373⤵
PID:752

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
372⤵
PID:2864

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
373⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
"cmd"
374⤵
PID:2720

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
375⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
"cmd"
376⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
377⤵
PID:4960

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
376⤵
PID:1544

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
377⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
"cmd"
378⤵
PID:2528

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
379⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"cmd"
380⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
381⤵
PID:3212

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
380⤵
PID:1744

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
381⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
"cmd"
382⤵
PID:1660

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
383⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
"cmd"
384⤵
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
385⤵
- Adds Run key to start application
PID:3040

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
384⤵
PID:4704

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
385⤵
PID:220

C:\Windows\SysWOW64\cmd.exe
"cmd"
386⤵
PID:672

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
387⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
"cmd"
388⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
389⤵
- Adds Run key to start application
PID:2220

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
388⤵
PID:2816

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
389⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
"cmd"
390⤵
PID:2736

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
391⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
"cmd"
392⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
393⤵
PID:4116

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
392⤵
PID:1804

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
393⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
"cmd"
394⤵
PID:2284

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
395⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
"cmd"
396⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
397⤵
- Adds Run key to start application
PID:2180

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
396⤵
PID:892

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
397⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
"cmd"
398⤵
PID:2360

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
399⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
"cmd"
400⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
401⤵
PID:4164

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
400⤵
PID:552

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
401⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
"cmd"
402⤵
PID:4816

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
403⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
"cmd"
404⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
405⤵
PID:4504

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
404⤵
PID:3704

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
405⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
"cmd"
406⤵
PID:4860

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
407⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
"cmd"
408⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
409⤵
- Adds Run key to start application
PID:5032

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
408⤵
PID:2516

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
409⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
"cmd"
410⤵
PID:4216

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
411⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
"cmd"
412⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
413⤵
- Adds Run key to start application
PID:1528

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
412⤵
PID:796

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
413⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
"cmd"
414⤵
PID:3168

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
415⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
"cmd"
416⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
417⤵
PID:4940

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
416⤵
PID:1740

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
416⤵
PID:3864

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
416⤵
PID:1032

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
416⤵
PID:3672

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
417⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
"cmd"
418⤵
PID:3936

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
419⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
"cmd"
420⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
421⤵
PID:4592

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
420⤵
PID:2920

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
421⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
"cmd"
422⤵
PID:3960

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
423⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
"cmd"
424⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
425⤵
- Adds Run key to start application
PID:2616

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
424⤵
PID:4984

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
425⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
"cmd"
426⤵
PID:2008

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
427⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
"cmd"
428⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
429⤵
PID:4420

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
428⤵
PID:856

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
429⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
"cmd"
430⤵
PID:3664

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
431⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
"cmd"
432⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
433⤵
PID:3060

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
432⤵
PID:2548

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
433⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
"cmd"
434⤵
PID:4116

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
435⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
"cmd"
436⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
437⤵
PID:1768

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
436⤵
PID:2992

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
436⤵
PID:4108

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
437⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
"cmd"
438⤵
PID:1556

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
439⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
"cmd"
440⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
441⤵
PID:3992

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
440⤵
PID:2280

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
441⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
"cmd"
442⤵
PID:4592

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
443⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
"cmd"
444⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
445⤵
PID:1720

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
444⤵
PID:1456

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
445⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
"cmd"
446⤵
PID:1764

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
447⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
"cmd"
448⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
449⤵
PID:3912

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
448⤵
PID:4924

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
449⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
"cmd"
450⤵
PID:776

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
451⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
"cmd"
452⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
453⤵
PID:2812

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
452⤵
PID:4660

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
453⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"cmd"
454⤵
PID:3520

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
455⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd"
456⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
457⤵
PID:2548

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
456⤵
PID:5036

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
457⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
"cmd"
458⤵
PID:2736

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
459⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
"cmd"
460⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
461⤵
PID:4468

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
460⤵
PID:1580

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
460⤵
PID:3636

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
461⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
"cmd"
462⤵
PID:3992

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
463⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
"cmd"
464⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
465⤵
PID:2720

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
464⤵
PID:452

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
465⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
"cmd"
466⤵
PID:2360

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
467⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
"cmd"
468⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
469⤵
PID:3388

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
468⤵
PID:4304

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
468⤵
PID:4576

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
469⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
"cmd"
470⤵
PID:4692

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
471⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
"cmd"
472⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
473⤵
PID:4780

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
472⤵
PID:4284

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
473⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
"cmd"
474⤵
PID:1988

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
475⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
"cmd"
476⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
477⤵
PID:3644

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
476⤵
PID:4456

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
477⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
"cmd"
478⤵
PID:1236

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
479⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
"cmd"
480⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
481⤵
PID:3632

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
480⤵
PID:3860

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
481⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
"cmd"
482⤵
PID:2992

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
483⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
"cmd"
484⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
485⤵
- Adds Run key to start application
PID:3636

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
484⤵
PID:3916

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
484⤵
PID:2520

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
485⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
"cmd"
486⤵
PID:3936

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
487⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
"cmd"
488⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
489⤵
PID:372

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
488⤵
PID:2016

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
488⤵
PID:4012

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
489⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
"cmd"
490⤵
PID:3260

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
491⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
"cmd"
492⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
493⤵
- Adds Run key to start application
PID:4360

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
492⤵
PID:3024

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
493⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
"cmd"
494⤵
PID:4420

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
495⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
"cmd"
496⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
497⤵
- Adds Run key to start application
PID:316

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
496⤵
PID:1988

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
496⤵
PID:3704

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
497⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
"cmd"
498⤵
PID:1276

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
499⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"cmd"
500⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
501⤵
PID:1092

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
500⤵
PID:1044

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
501⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
"cmd"
502⤵
PID:4940

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
503⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
"cmd"
504⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
505⤵
PID:2776

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
504⤵
PID:3332

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
505⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
"cmd"
506⤵
PID:1412

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
507⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
"cmd"
508⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
509⤵
PID:1736

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
508⤵
PID:3936

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
509⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
"cmd"
510⤵
PID:5048

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
511⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
"cmd"
512⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
513⤵
PID:1764

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
512⤵
PID:3940

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
513⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
"cmd"
514⤵
PID:2232

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
515⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"cmd"
516⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
517⤵
PID:4816

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
516⤵
PID:1240

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
516⤵
PID:3124

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
517⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
"cmd"
518⤵
PID:4728

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
519⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
"cmd"
520⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
521⤵
- Adds Run key to start application
PID:516

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
520⤵
PID:1652

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
521⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
"cmd"
522⤵
PID:3468

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
523⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
"cmd"
524⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
525⤵
PID:1972

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
524⤵
PID:1840

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
525⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
"cmd"
526⤵
PID:5028

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
527⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
"cmd"
528⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
529⤵
PID:4832

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
528⤵
PID:4688

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
529⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
"cmd"
530⤵
PID:4584

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
531⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
"cmd"
532⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
533⤵
PID:2720

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
532⤵
PID:3936

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
533⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
"cmd"
534⤵
PID:4192

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
535⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
"cmd"
536⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
537⤵
PID:2716

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
536⤵
PID:4464

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
537⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
"cmd"
538⤵
PID:1756

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
539⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
"cmd"
540⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
541⤵
PID:3260

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
540⤵
PID:4064

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
540⤵
PID:4604

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
541⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd"
542⤵
PID:2284

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
543⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
"cmd"
544⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
545⤵
PID:2984

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
544⤵
PID:5088

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
544⤵
PID:4488

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
545⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"cmd"
546⤵
PID:4796

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
547⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
"cmd"
548⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
549⤵
PID:3632

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
548⤵
PID:3640

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
549⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
"cmd"
550⤵
PID:1760

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
551⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
"cmd"
552⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
553⤵
- Adds Run key to start application
PID:852

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
552⤵
PID:4584

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
552⤵
PID:216

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
553⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
"cmd"
554⤵
PID:1424

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
555⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
"cmd"
556⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
557⤵
PID:2248

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
556⤵
PID:1932

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
557⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
"cmd"
558⤵
PID:1764

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
559⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
"cmd"
560⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
561⤵
PID:4816

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
560⤵
PID:1864

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
561⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
"cmd"
562⤵
PID:4276

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
563⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
"cmd"
564⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
565⤵
PID:4420

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
564⤵
PID:4252

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
565⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
"cmd"
566⤵
PID:1652

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
567⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
"cmd"
568⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
569⤵
PID:4800

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
568⤵
PID:3904

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
568⤵
PID:1276

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
569⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
"cmd"
570⤵
PID:2064

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
571⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"cmd"
572⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
573⤵
PID:4556

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
572⤵
PID:4628

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
572⤵
PID:4204

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
573⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
"cmd"
574⤵
PID:3948

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
575⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
"cmd"
576⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
577⤵
- Adds Run key to start application
PID:2864

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
576⤵
PID:796

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
576⤵
PID:4444

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
576⤵
PID:1412

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
576⤵
PID:2044

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
577⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
"cmd"
578⤵
PID:2184

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
579⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
"cmd"
580⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
581⤵
- Adds Run key to start application
PID:3032

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
580⤵
PID:4172

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
581⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
"cmd"
582⤵
PID:4816

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
583⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
"cmd"
584⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
585⤵
PID:4024

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
584⤵
PID:4404

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
584⤵
PID:1644

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
585⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
"cmd"
586⤵
PID:4420

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
587⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
"cmd"
588⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
589⤵
PID:1160

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
588⤵
PID:1992

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
589⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
"cmd"
590⤵
PID:1652

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
591⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
"cmd"
592⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
593⤵
PID:3624

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
592⤵
PID:3792

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
593⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
"cmd"
594⤵
PID:3640

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
595⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
"cmd"
596⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
597⤵
PID:2660

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
596⤵
PID:4912

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
597⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
"cmd"
598⤵
PID:2596

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
599⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
"cmd"
600⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
601⤵
- Adds Run key to start application
PID:2280

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
600⤵
PID:1412

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
600⤵
PID:3948

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
601⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
"cmd"
602⤵
PID:2016

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
603⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
"cmd"
604⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
605⤵
- Adds Run key to start application
PID:2232

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
604⤵
PID:4172

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
604⤵
PID:2072

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
605⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
"cmd"
606⤵
PID:2816

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
607⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
"cmd"
608⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
609⤵
PID:2360

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
608⤵
PID:2008

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
609⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
"cmd"
610⤵
PID:2544

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
611⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
"cmd"
612⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
613⤵
PID:3664

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
612⤵
PID:2836

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
612⤵
PID:4624

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
612⤵
PID:4420

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
613⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
"cmd"
614⤵
PID:2628

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
615⤵
PID:220

C:\Windows\SysWOW64\cmd.exe
"cmd"
616⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
617⤵
PID:5032

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
616⤵
PID:3904

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
617⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
"cmd"
618⤵
PID:1020

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
619⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
"cmd"
620⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
621⤵
PID:5028

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
620⤵
PID:556

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
621⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
"cmd"
622⤵
PID:3916

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
623⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
"cmd"
624⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
625⤵
PID:3936

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
624⤵
PID:2596

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
625⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
"cmd"
626⤵
PID:792

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
627⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
"cmd"
628⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
629⤵
PID:2184

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
628⤵
PID:5068

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
629⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
"cmd"
630⤵
PID:1484

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
631⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
"cmd"
632⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
633⤵
PID:4492

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
632⤵
PID:1112

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
633⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
"cmd"
634⤵
PID:1240

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
635⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
"cmd"
636⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
637⤵
PID:1660

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
636⤵
PID:3040

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
637⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
"cmd"
638⤵
PID:4072

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
639⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
"cmd"
640⤵
PID:4348

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upd.txt
Filesize
43B

MD5
b4724393ed2b978f7e1b0ad28069bd78

SHA1
b0651a6182a14f1e6df686362b71cd1b733b3855

SHA256
60844d99335de5e42df33bef493812f91872a290d1f7c221bc1fbb980815aad6

SHA512
3b2a98df461ef5d1c0db01a3901f3c041ddc8e9d17ead457b0851c83bc96971a73186d6e8d2c7c33d35987f5777035f580036aa7998416b043bdc19ebea1cac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upd.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\file.exe
Filesize
283KB

MD5
6b5a574c81822c806e598fde5aad93fc

SHA1
afbdd84b379d5c392674f2a54bedf01f6f7f9f2b

SHA256
fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa

SHA512
5ac96dc5046f8408575c6f620129d4d211be178633ba405e20a0a329780c816396bc8ec41a277c09928cb37778fbf6fcf574539d268269ac26261d7ae7ea3cff

Download Submit
memory/412-109-0x00000000049B0000-0x00000000049FA000-memory.dmp

Filesize
296KB

Download
memory/412-775-0x0000000004E10000-0x0000000004E5A000-memory.dmp

Filesize
296KB

Download
memory/472-219-0x00000000048D0000-0x000000000491A000-memory.dmp

Filesize
296KB

Download
memory/672-736-0x0000000005620000-0x000000000566A000-memory.dmp

Filesize
296KB

Download
memory/936-701-0x0000000004960000-0x00000000049AA000-memory.dmp

Filesize
296KB

Download
memory/936-783-0x0000000002440000-0x000000000248A000-memory.dmp

Filesize
296KB

Download
memory/956-1275-0x00000000054D0000-0x000000000551A000-memory.dmp

Filesize
296KB

Download
memory/1032-337-0x0000000002E70000-0x0000000002EBA000-memory.dmp

Filesize
296KB

Download
memory/1048-256-0x0000000003070000-0x00000000030BA000-memory.dmp

Filesize
296KB

Download
memory/1172-396-0x0000000004B90000-0x0000000004BDA000-memory.dmp

Filesize
296KB

Download
memory/1280-446-0x0000000003170000-0x00000000031BA000-memory.dmp

Filesize
296KB

Download
memory/1312-175-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1440-303-0x00000000024C0000-0x000000000250A000-memory.dmp

Filesize
296KB

Download
memory/1456-271-0x00000000033C0000-0x000000000340A000-memory.dmp

Filesize
296KB

Download
memory/1484-959-0x0000000004FB0000-0x0000000004FFA000-memory.dmp

Filesize
296KB

Download
memory/1572-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1600-1143-0x0000000004A00000-0x0000000004A4A000-memory.dmp

Filesize
296KB

Download
memory/1628-1668-0x0000000002830000-0x000000000287A000-memory.dmp

Filesize
296KB

Download
memory/1696-1727-0x0000000002BB0000-0x0000000002BFA000-memory.dmp

Filesize
296KB

Download
memory/1704-1490-0x0000000002B60000-0x0000000002BAA000-memory.dmp

Filesize
296KB

Download
memory/1740-1467-0x0000000002DA0000-0x0000000002DEA000-memory.dmp

Filesize
296KB

Download
memory/1756-812-0x00000000025A0000-0x00000000025EA000-memory.dmp

Filesize
296KB

Download
memory/1804-956-0x0000000002F20000-0x0000000002F6A000-memory.dmp

Filesize
296KB

Download
memory/1820-1363-0x0000000004C30000-0x0000000004C7A000-memory.dmp

Filesize
296KB

Download
memory/2052-15-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/2052-856-0x0000000004D40000-0x0000000004D8A000-memory.dmp

Filesize
296KB

Download
memory/2052-13-0x0000000005190000-0x00000000051DA000-memory.dmp

Filesize
296KB

Download
memory/2052-12-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/2052-22-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/2076-2151-0x00000000057A0000-0x00000000057EA000-memory.dmp

Filesize
296KB

Download
memory/2152-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2364-250-0x0000000002870000-0x00000000028BA000-memory.dmp

Filesize
296KB

Download
memory/2364-1775-0x00000000014D0000-0x000000000151A000-memory.dmp

Filesize
296KB

Download
memory/2388-686-0x00000000024C0000-0x000000000250A000-memory.dmp

Filesize
296KB

Download
memory/2460-511-0x0000000005810000-0x000000000585A000-memory.dmp

Filesize
296KB

Download
memory/2628-1064-0x0000000002A60000-0x0000000002AAA000-memory.dmp

Filesize
296KB

Download
memory/2716-1009-0x0000000002C10000-0x0000000002C5A000-memory.dmp

Filesize
296KB

Download
memory/2760-124-0x0000000004B60000-0x0000000004BAA000-memory.dmp

Filesize
296KB

Download
memory/2772-626-0x0000000000D30000-0x0000000000D7A000-memory.dmp

Filesize
296KB

Download
memory/2772-1500-0x0000000004ED0000-0x0000000004F1A000-memory.dmp

Filesize
296KB

Download
memory/2776-869-0x0000000002DD0000-0x0000000002E1A000-memory.dmp

Filesize
296KB

Download
memory/2812-820-0x0000000004C40000-0x0000000004C8A000-memory.dmp

Filesize
296KB

Download
memory/2852-1348-0x0000000001E10000-0x0000000001E5A000-memory.dmp

Filesize
296KB

Download
memory/3332-1515-0x0000000002410000-0x000000000245A000-memory.dmp

Filesize
296KB

Download
memory/3632-707-0x0000000002470000-0x00000000024BA000-memory.dmp

Filesize
296KB

Download
memory/3660-1290-0x0000000004B40000-0x0000000004B8A000-memory.dmp

Filesize
296KB

Download
memory/3664-1904-0x0000000002540000-0x000000000258A000-memory.dmp

Filesize
296KB

Download
memory/3700-540-0x00000000053D0000-0x000000000541A000-memory.dmp

Filesize
296KB

Download
memory/3732-1477-0x0000000005100000-0x000000000514A000-memory.dmp

Filesize
296KB

Download
memory/3780-2048-0x0000000002C80000-0x0000000002CCA000-memory.dmp

Filesize
296KB

Download
memory/3876-2105-0x0000000002AC0000-0x0000000002B0A000-memory.dmp

Filesize
296KB

Download
memory/3936-416-0x0000000005190000-0x00000000051DA000-memory.dmp

Filesize
296KB

Download
memory/4040-5-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/4040-3-0x00000000023F0000-0x000000000243A000-memory.dmp

Filesize
296KB

Download
memory/4040-1-0x00000000000A0000-0x00000000000EC000-memory.dmp

Filesize
304KB

Download
memory/4040-2-0x0000000004FD0000-0x0000000005574000-memory.dmp

Filesize
5.6MB

Download
memory/4040-4-0x0000000004540000-0x000000000454A000-memory.dmp

Filesize
40KB

Download
memory/4040-11-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/4040-0-0x000000007538E000-0x000000007538F000-memory.dmp

Filesize
4KB

Download
memory/4064-293-0x0000000005660000-0x00000000056AA000-memory.dmp

Filesize
296KB

Download
memory/4108-73-0x0000000005760000-0x00000000057AA000-memory.dmp

Filesize
296KB

Download
memory/4120-2157-0x0000000004EB0000-0x0000000004EFA000-memory.dmp

Filesize
296KB

Download
memory/4132-555-0x0000000004A20000-0x0000000004A6A000-memory.dmp

Filesize
296KB

Download
memory/4136-1173-0x0000000002FE0000-0x000000000302A000-memory.dmp

Filesize
296KB

Download
memory/4164-475-0x0000000002730000-0x000000000277A000-memory.dmp

Filesize
296KB

Download
memory/4204-146-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4308-440-0x0000000004EE0000-0x0000000004F2A000-memory.dmp

Filesize
296KB

Download
memory/4404-2035-0x0000000002EE0000-0x0000000002F2A000-memory.dmp

Filesize
296KB

Download
memory/4408-2148-0x0000000002590000-0x00000000025DA000-memory.dmp

Filesize
296KB

Download
memory/4408-1338-0x0000000002230000-0x000000000227A000-memory.dmp

Filesize
296KB

Download
memory/4508-636-0x0000000004BA0000-0x0000000004BEA000-memory.dmp

Filesize
296KB

Download
memory/4552-1165-0x00000000028C0000-0x000000000290A000-memory.dmp

Filesize
296KB

Download
memory/4684-1190-0x0000000004FE0000-0x000000000502A000-memory.dmp

Filesize
296KB

Download
memory/4860-772-0x0000000004990000-0x00000000049DA000-memory.dmp

Filesize
296KB

Download
memory/4916-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4916-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4916-19-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4960-176-0x00000000058D0000-0x000000000591A000-memory.dmp

Filesize
296KB

Download
memory/4980-1095-0x0000000002420000-0x000000000246A000-memory.dmp

Filesize
296KB

Download