496aa3e4a9d5e40c665fab0c26fcced1907d08ac0be99dcf7f86af11bd23a281

Analysis

max time kernel
45s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 03:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82d2f1ccf7ac7c751bfec8b771f7db0d_JaffaCakes118.exe
Size

68KB
MD5

82d2f1ccf7ac7c751bfec8b771f7db0d
SHA1

91911867fddc68a7abd5cd4ead7c21be74df0e1a
SHA256

496aa3e4a9d5e40c665fab0c26fcced1907d08ac0be99dcf7f86af11bd23a281
SHA512

44b048e5cfafe6966ac0ce5b168242ac2a0fd22687ca38494908ab1793a89ee2fccfb18fc1f878a604628b5cb527b6dccbf9643265dee23cc01fa72e07e865af
SSDEEP

1536:2zX1z1RieG2bPWRBSfxeGqES51P4TWf1zjRiXAANE8T8sb5:2zX11IeG2QKeGDS5dm6R8NX5

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
380	EXPL0RER.EXE
4316	EXPL0RER.EXE
1940	EXPL0RER.EXE
1596	EXPL0RER.EXE
4144	EXPL0RER.EXE
3320	EXPL0RER.EXE
4604	EXPL0RER.EXE
3504	EXPL0RER.EXE
3288	EXPL0RER.EXE
2232	EXPL0RER.EXE
4916	EXPL0RER.EXE
2256	EXPL0RER.EXE
5076	EXPL0RER.EXE
2540	EXPL0RER.EXE
1988	EXPL0RER.EXE
4596	EXPL0RER.EXE
2016	EXPL0RER.EXE
536	EXPL0RER.EXE
3276	EXPL0RER.EXE
3224	EXPL0RER.EXE
4920	EXPL0RER.EXE
3612	EXPL0RER.EXE
4832	EXPL0RER.EXE
4172	EXPL0RER.EXE
2612	EXPL0RER.EXE
4580	EXPL0RER.EXE
4052	EXPL0RER.EXE
4844	EXPL0RER.EXE
4912	EXPL0RER.EXE
2052	EXPL0RER.EXE
3032	EXPL0RER.EXE
2460	EXPL0RER.EXE
3152	EXPL0RER.EXE
3576	EXPL0RER.EXE
4980	EXPL0RER.EXE
2624	EXPL0RER.EXE
2868	EXPL0RER.EXE
1056	EXPL0RER.EXE
3280	EXPL0RER.EXE
4216	EXPL0RER.EXE
932	EXPL0RER.EXE
384	EXPL0RER.EXE
4616	EXPL0RER.EXE
636	EXPL0RER.EXE
2264	EXPL0RER.EXE
1564	EXPL0RER.EXE
2504	EXPL0RER.EXE
2076	EXPL0RER.EXE
2984	EXPL0RER.EXE
1792	EXPL0RER.EXE
3440	EXPL0RER.EXE
208	EXPL0RER.EXE
3536	EXPL0RER.EXE
2832	EXPL0RER.EXE
1932	EXPL0RER.EXE
2784	EXPL0RER.EXE
620	EXPL0RER.EXE
3244	EXPL0RER.EXE
1584	EXPL0RER.EXE
4680	EXPL0RER.EXE
3128	EXPL0RER.EXE
1476	EXPL0RER.EXE
3696	EXPL0RER.EXE
3968	EXPL0RER.EXE

Loads dropped DLL 64 IoCs

pid	Process
3124	regsvr32.exe
2224	regsvr32.exe
1240	regsvr32.exe
1240	regsvr32.exe
1520	regsvr32.exe
1520	regsvr32.exe
1604	regsvr32.exe
1232	regsvr32.exe
1232	regsvr32.exe
3316	regsvr32.exe
5028	regsvr32.exe
5028	regsvr32.exe
2356	regsvr32.exe
4268	regsvr32.exe
4048	regsvr32.exe
2592	regsvr32.exe
1608	regsvr32.exe
1584	regsvr32.exe
2396	regsvr32.exe
2396	regsvr32.exe
1372	regsvr32.exe
1372	regsvr32.exe
3960	regsvr32.exe
3960	regsvr32.exe
3608	regsvr32.exe
4036	regsvr32.exe
4036	regsvr32.exe
4184	regsvr32.exe
1912	regsvr32.exe
3772	regsvr32.exe
4724	regsvr32.exe
1932	regsvr32.exe
1932	regsvr32.exe
3052	regsvr32.exe
4056	regsvr32.exe
4056	regsvr32.exe
3896	regsvr32.exe
4048	regsvr32.exe
2264	regsvr32.exe
3136	regsvr32.exe
3832	regsvr32.exe
3832	regsvr32.exe
4688	regsvr32.exe
1372	regsvr32.exe
1240	regsvr32.exe
1240	regsvr32.exe
2436	regsvr32.exe
2436	regsvr32.exe
2340	regsvr32.exe
1084	regsvr32.exe
1088	regsvr32.exe
3984	regsvr32.exe
4904	regsvr32.exe
3828	regsvr32.exe
3828	regsvr32.exe
3548	regsvr32.exe
4260	regsvr32.exe
868	regsvr32.exe
2352	regsvr32.exe
3136	regsvr32.exe
4264	regsvr32.exe
448	regsvr32.exe
4248	regsvr32.exe
1072	regsvr32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4448-0-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0008000000023478-6.dat	upx
behavioral2/memory/4316-37-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1940-55-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1596-69-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4144-89-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4448-165-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/380-181-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4316-197-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1940-213-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/5076-214-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1596-221-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4144-233-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3320-245-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4604-257-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2016-262-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3504-269-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/536-274-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3288-282-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3224-298-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2232-297-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4920-309-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4916-305-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2256-317-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4832-333-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/5076-328-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2540-341-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4172-346-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1988-353-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4596-365-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2016-376-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/536-387-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3276-398-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3224-409-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4920-421-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3612-432-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4832-443-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4172-455-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2612-467-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4580-478-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4052-489-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4844-500-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4912-511-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2052-522-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3032-534-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2460-545-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3152-556-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3576-567-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4980-578-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2624-589-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2868-600-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1056-611-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3280-622-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4216-633-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/932-645-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/384-656-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4616-668-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/636-679-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2264-690-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1564-701-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/620-713-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2504-712-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2076-724-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2984-735-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE

Program crash 64 IoCs

pid	pid_target	Process	procid_target
8036	4616	WerFault.exe	171
8044	636	WerFault.exe	173
2216	3324	WerFault.exe	277
3200	220	WerFault.exe	279
4924	4264	WerFault.exe	281
10308	3556	WerFault.exe	283
10544	2544	WerFault.exe	285
10672	2704	WerFault.exe	287
10812	1088	WerFault.exe	289
10936	4908	WerFault.exe	291
11012	5136	WerFault.exe	293
11232	5216	WerFault.exe	295
11256	5292	WerFault.exe	297
4924	5368	WerFault.exe	299
10640	5452	WerFault.exe	301
10788	5528	WerFault.exe	303
10672	5604	WerFault.exe	305
11120	5684	WerFault.exe	307
4724	5756	WerFault.exe	309
10364	5836	WerFault.exe	311
10512	5920	WerFault.exe	313
10624	6012	WerFault.exe	315
10904	6092	WerFault.exe	317
11028	5124	WerFault.exe	319
11108	5236	WerFault.exe	321
11060	5332	WerFault.exe	323
5244	5440	WerFault.exe	325
10764	5660	WerFault.exe	329
5936	5748	WerFault.exe	331
10744	5860	WerFault.exe	333
11136	6076	WerFault.exe	337
10552	5280	WerFault.exe	341
10308	5324	WerFault.exe	343
5680	5536	WerFault.exe	345
5936	5708	WerFault.exe	347
5724	5812	WerFault.exe	349
3584	5832	WerFault.exe	351
5384	6056	WerFault.exe	353
10512	5180	WerFault.exe	355
10716	5320	WerFault.exe	357
5768	5480	WerFault.exe	359
11040	5636	WerFault.exe	361
6104	5788	WerFault.exe	363
10744	5952	WerFault.exe	365
10292	6128	WerFault.exe	367
10772	5196	WerFault.exe	369
5936	5484	WerFault.exe	371
10924	5584	WerFault.exe	373
5644	5824	WerFault.exe	375
6104	6052	WerFault.exe	377
10896	5200	WerFault.exe	379
11072	5404	WerFault.exe	381
10528	1756	WerFault.exe	383
10592	5732	WerFault.exe	385
5364	5396	WerFault.exe	389
10840	5804	WerFault.exe	391
6104	6060	WerFault.exe	393
5912	1472	WerFault.exe	395
11208	5928	WerFault.exe	397
5780	6136	WerFault.exe	399
5936	5568	WerFault.exe	401
4820	5276	WerFault.exe	405
10252	5908	WerFault.exe	407
6316	5412	WerFault.exe	409

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 3124	4448	82d2f1ccf7ac7c751bfec8b771f7db0d_JaffaCakes118.exe	84
PID 4448 wrote to memory of 3124	4448	82d2f1ccf7ac7c751bfec8b771f7db0d_JaffaCakes118.exe	84
PID 4448 wrote to memory of 3124	4448	82d2f1ccf7ac7c751bfec8b771f7db0d_JaffaCakes118.exe	84
PID 4448 wrote to memory of 380	4448	82d2f1ccf7ac7c751bfec8b771f7db0d_JaffaCakes118.exe	85
PID 4448 wrote to memory of 380	4448	82d2f1ccf7ac7c751bfec8b771f7db0d_JaffaCakes118.exe	85
PID 4448 wrote to memory of 380	4448	82d2f1ccf7ac7c751bfec8b771f7db0d_JaffaCakes118.exe	85
PID 380 wrote to memory of 2224	380	EXPL0RER.EXE	87
PID 380 wrote to memory of 2224	380	EXPL0RER.EXE	87
PID 380 wrote to memory of 2224	380	EXPL0RER.EXE	87
PID 380 wrote to memory of 4316	380	EXPL0RER.EXE	88
PID 380 wrote to memory of 4316	380	EXPL0RER.EXE	88
PID 380 wrote to memory of 4316	380	EXPL0RER.EXE	88
PID 4316 wrote to memory of 1240	4316	EXPL0RER.EXE	89
PID 4316 wrote to memory of 1240	4316	EXPL0RER.EXE	89
PID 4316 wrote to memory of 1240	4316	EXPL0RER.EXE	89
PID 4316 wrote to memory of 1940	4316	EXPL0RER.EXE	90
PID 4316 wrote to memory of 1940	4316	EXPL0RER.EXE	90
PID 4316 wrote to memory of 1940	4316	EXPL0RER.EXE	90
PID 1940 wrote to memory of 1520	1940	EXPL0RER.EXE	92
PID 1940 wrote to memory of 1520	1940	EXPL0RER.EXE	92
PID 1940 wrote to memory of 1520	1940	EXPL0RER.EXE	92
PID 1940 wrote to memory of 1596	1940	EXPL0RER.EXE	93
PID 1940 wrote to memory of 1596	1940	EXPL0RER.EXE	93
PID 1940 wrote to memory of 1596	1940	EXPL0RER.EXE	93
PID 1596 wrote to memory of 1604	1596	EXPL0RER.EXE	94
PID 1596 wrote to memory of 1604	1596	EXPL0RER.EXE	94
PID 1596 wrote to memory of 1604	1596	EXPL0RER.EXE	94
PID 1596 wrote to memory of 4144	1596	EXPL0RER.EXE	95
PID 1596 wrote to memory of 4144	1596	EXPL0RER.EXE	95
PID 1596 wrote to memory of 4144	1596	EXPL0RER.EXE	95
PID 4144 wrote to memory of 1232	4144	EXPL0RER.EXE	96
PID 4144 wrote to memory of 1232	4144	EXPL0RER.EXE	96
PID 4144 wrote to memory of 1232	4144	EXPL0RER.EXE	96
PID 4144 wrote to memory of 3320	4144	EXPL0RER.EXE	97
PID 4144 wrote to memory of 3320	4144	EXPL0RER.EXE	97
PID 4144 wrote to memory of 3320	4144	EXPL0RER.EXE	97
PID 3320 wrote to memory of 3316	3320	EXPL0RER.EXE	98
PID 3320 wrote to memory of 3316	3320	EXPL0RER.EXE	98
PID 3320 wrote to memory of 3316	3320	EXPL0RER.EXE	98
PID 3320 wrote to memory of 4604	3320	EXPL0RER.EXE	99
PID 3320 wrote to memory of 4604	3320	EXPL0RER.EXE	99
PID 3320 wrote to memory of 4604	3320	EXPL0RER.EXE	99
PID 4604 wrote to memory of 5028	4604	EXPL0RER.EXE	100
PID 4604 wrote to memory of 5028	4604	EXPL0RER.EXE	100
PID 4604 wrote to memory of 5028	4604	EXPL0RER.EXE	100
PID 4604 wrote to memory of 3504	4604	EXPL0RER.EXE	101
PID 4604 wrote to memory of 3504	4604	EXPL0RER.EXE	101
PID 4604 wrote to memory of 3504	4604	EXPL0RER.EXE	101
PID 3504 wrote to memory of 2356	3504	EXPL0RER.EXE	102
PID 3504 wrote to memory of 2356	3504	EXPL0RER.EXE	102
PID 3504 wrote to memory of 2356	3504	EXPL0RER.EXE	102
PID 3504 wrote to memory of 3288	3504	EXPL0RER.EXE	103
PID 3504 wrote to memory of 3288	3504	EXPL0RER.EXE	103
PID 3504 wrote to memory of 3288	3504	EXPL0RER.EXE	103
PID 3288 wrote to memory of 4268	3288	EXPL0RER.EXE	104
PID 3288 wrote to memory of 4268	3288	EXPL0RER.EXE	104
PID 3288 wrote to memory of 4268	3288	EXPL0RER.EXE	104
PID 3288 wrote to memory of 2232	3288	EXPL0RER.EXE	105
PID 3288 wrote to memory of 2232	3288	EXPL0RER.EXE	105
PID 3288 wrote to memory of 2232	3288	EXPL0RER.EXE	105
PID 2232 wrote to memory of 4048	2232	EXPL0RER.EXE	140
PID 2232 wrote to memory of 4048	2232	EXPL0RER.EXE	140
PID 2232 wrote to memory of 4048	2232	EXPL0RER.EXE	140
PID 2232 wrote to memory of 4916	2232	EXPL0RER.EXE	107

C:\Users\Admin\AppData\Local\Temp\82d2f1ccf7ac7c751bfec8b771f7db0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82d2f1ccf7ac7c751bfec8b771f7db0d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3124
- C:\Windows\SysWOW64\EXPL0RER.EXE
  C:\Windows\system32\EXPL0RER.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
    3⤵
    - Loads dropped DLL
    PID:2224
- - C:\Windows\SysWOW64\EXPL0RER.EXE
    C:\Windows\system32\EXPL0RER.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
      4⤵
      Loads dropped DLL
      PID:1240
  - - C:\Windows\SysWOW64\EXPL0RER.EXE
      C:\Windows\system32\EXPL0RER.EXE
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        5⤵
        Loads dropped DLL
        
        PID:1520
    - - C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        6⤵
        Loads dropped DLL
        
        PID:1604
      - C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        7⤵
        Loads dropped DLL
        
        PID:1232
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        9⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        10⤵
        Loads dropped DLL
        
        PID:2356
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        11⤵
        Loads dropped DLL
        
        PID:4268
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        12⤵
        Loads dropped DLL
        
        PID:4048
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        12⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        13⤵
        Loads dropped DLL
        
        PID:2592
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        13⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        14⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        14⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        15⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        16⤵
        Loads dropped DLL
        
        PID:2396
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        16⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        17⤵
        Loads dropped DLL
        
        PID:1372
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        17⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        18⤵
        Loads dropped DLL
        
        PID:3960
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:536
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        20⤵
        Loads dropped DLL
        
        PID:4036
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        20⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        21⤵
        Loads dropped DLL
        
        PID:4184
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        21⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        22⤵
        Loads dropped DLL
        
        PID:1912
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4920
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        23⤵
        Loads dropped DLL
        
        PID:3772
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        23⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        24⤵
        Loads dropped DLL
        
        PID:4724
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4832
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        25⤵
        Loads dropped DLL
        
        PID:1932
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4172
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        26⤵
        Loads dropped DLL
        
        PID:3052
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        26⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        27⤵
        Loads dropped DLL
        
        PID:4056
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        27⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        28⤵
        Loads dropped DLL
        
        PID:3896
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4052
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        29⤵
        Loads dropped DLL
        
        PID:4048
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        29⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        30⤵
        Loads dropped DLL
        
        PID:2264
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        30⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        31⤵
        Loads dropped DLL
        
        PID:3136
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        31⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        32⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        33⤵
        Loads dropped DLL
        
        PID:4688
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        33⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        34⤵
        Loads dropped DLL
        
        PID:1372
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        34⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        35⤵
        Loads dropped DLL
        
        PID:1240
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        36⤵
        Loads dropped DLL
        
        PID:2436
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        37⤵
        Loads dropped DLL
        
        PID:2340
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2624
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        38⤵
        Loads dropped DLL
        
        PID:1084
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        38⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        39⤵
        Loads dropped DLL
        
        PID:1088
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        39⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        40⤵
        Loads dropped DLL
        
        PID:3984
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3280
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        41⤵
        Loads dropped DLL
        
        PID:4904
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        41⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        42⤵
        Loads dropped DLL
        
        PID:3828
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        42⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        43⤵
        Loads dropped DLL
        
        PID:3548
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        43⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        45⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        45⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:636
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        46⤵
        Loads dropped DLL
        
        PID:2352
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        46⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        47⤵
        Loads dropped DLL
        
        PID:3136
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        48⤵
        Loads dropped DLL
        
        PID:4264
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        48⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        49⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        49⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        50⤵
        Loads dropped DLL
        
        PID:4248
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        50⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        51⤵
        Loads dropped DLL
        
        PID:1072
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        51⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        52⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        52⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        53⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        53⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        54⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        54⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        55⤵
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        56⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1932
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        57⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        57⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        58⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:620
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        59⤵
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3244
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        60⤵
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        60⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        61⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4680
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        62⤵
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        62⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        63⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        63⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        64⤵
        
        PID:708
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        65⤵
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:3968
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        66⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        66⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        67⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        67⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        68⤵
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        68⤵
        Drops file in Windows directory
        
        PID:3896
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        69⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        70⤵
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        70⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        71⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        71⤵
        
        PID:448
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        72⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        72⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        73⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        73⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        74⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        74⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        75⤵
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        75⤵
        Drops file in Windows directory
        
        PID:3052
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        76⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        77⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        77⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        78⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        78⤵
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        79⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        79⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        80⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        81⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        81⤵
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        82⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        82⤵
        Drops file in Windows directory
        
        PID:5036
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        83⤵
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        83⤵
        Drops file in Windows directory
        
        PID:3832
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        84⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        84⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        85⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        85⤵
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        86⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        86⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        87⤵
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        87⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        88⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        88⤵
        Drops file in Windows directory
        
        PID:2352
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        89⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        89⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        90⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        90⤵
        Drops file in Windows directory
        
        PID:3428
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        91⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        91⤵
        Drops file in Windows directory
        
        PID:4880
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        92⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        92⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        93⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        93⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        94⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        94⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        95⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        95⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        96⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        96⤵
        Drops file in Windows directory
        
        PID:4924
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        97⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        97⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:3324
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        98⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        98⤵
        
        PID:220
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        99⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        99⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        100⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        101⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        101⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        102⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        102⤵
        Drops file in Windows directory
        
        PID:2704
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        103⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        103⤵
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        104⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        104⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        105⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        105⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        106⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        106⤵
        Drops file in Windows directory
        
        PID:5216
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        107⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        107⤵
        Drops file in Windows directory
        
        PID:5292
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        108⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        108⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        109⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        109⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        110⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        110⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        111⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        111⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        112⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        112⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:5684
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        113⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        113⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        114⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        114⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        115⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        116⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        116⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        117⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        117⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        118⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        118⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        119⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        119⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        120⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        120⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        121⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        121⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        122⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        122⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        123⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        124⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        125⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        126⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        127⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        127⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        128⤵
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        128⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        129⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        129⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        130⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        130⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        131⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        131⤵
        Drops file in Windows directory
        
        PID:5536
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        132⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        132⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        133⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        133⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        134⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        134⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        135⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        135⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        136⤵
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        136⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        137⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        138⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        138⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        139⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        139⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        140⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        140⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        141⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        141⤵
        Drops file in Windows directory
        
        PID:5952
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        142⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        142⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        143⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        143⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        144⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        144⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        145⤵
        Drops file in Windows directory
        
        PID:5584
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        146⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        146⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        147⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        147⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        148⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        148⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        149⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        149⤵
        Drops file in Windows directory
        
        PID:5404
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        150⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        150⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        151⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        151⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        152⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        152⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        153⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        153⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        154⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        155⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        155⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        156⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        156⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        157⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        157⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        158⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        158⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        159⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        159⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        160⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        160⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        161⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        161⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        162⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        162⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        163⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        163⤵
        Drops file in Windows directory
        
        PID:5412
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        164⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        165⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        166⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        167⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        167⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        168⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        168⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        169⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        169⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        170⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        170⤵
        Drops file in Windows directory
        
        PID:6552
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        171⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        171⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        172⤵
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        172⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:6720
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        173⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        173⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        174⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        174⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        175⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        175⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        176⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        176⤵
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        177⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        177⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        178⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        178⤵
        Drops file in Windows directory
        
        PID:6448
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:6580
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        179⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        180⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        180⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        181⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        181⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        182⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        182⤵
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        183⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        183⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        185⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        185⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        186⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        186⤵
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        187⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        187⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6192
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        188⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        189⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        189⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        190⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        190⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6852
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        191⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        191⤵
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        192⤵
        
        PID:624
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        192⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        193⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        193⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        194⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        194⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        195⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        195⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        196⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        196⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        197⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        197⤵
        Drops file in Windows directory
        
        PID:4440
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        198⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        198⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        199⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        199⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        200⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        200⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        201⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        201⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4324
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        202⤵
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        202⤵
        
        PID:428
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        203⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        203⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        204⤵
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        204⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        205⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        205⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        206⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        206⤵
        Drops file in Windows directory
        
        PID:2828
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        207⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        208⤵
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        209⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        209⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        210⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        210⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        211⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        211⤵
        Drops file in Windows directory
        
        PID:7696
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        212⤵
        Modifies registry class
        
        PID:7764
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        212⤵
        Drops file in Windows directory
        
        PID:7780
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:7848
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        213⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        214⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        214⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        215⤵
        Modifies registry class
        
        PID:8124
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        215⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        216⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        217⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        217⤵
        Drops file in Windows directory
        
        PID:4472
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        218⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        218⤵
        Drops file in System32 directory
        
        PID:7736
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        219⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7808
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        219⤵
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        220⤵
        Modifies registry class
        
        PID:7936
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        220⤵
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        221⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        221⤵
        Drops file in Windows directory
        
        PID:8116
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        222⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        222⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        223⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        223⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:7668
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        224⤵
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:7740
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        225⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        225⤵
        Drops file in System32 directory
        
        PID:7960
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        226⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        226⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        227⤵
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        227⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:7440
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        228⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        228⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        229⤵
        Modifies registry class
        
        PID:8044
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        229⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        230⤵
        
        PID:932
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        230⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:7416
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        231⤵
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        231⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        232⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        232⤵
        Drops file in Windows directory
        
        PID:2360
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        233⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        233⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        234⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        234⤵
        Drops file in System32 directory
        
        PID:7564
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        235⤵
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        235⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        236⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        236⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        237⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        237⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        238⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        238⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        239⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        239⤵
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        240⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        240⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:8268
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        241⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        241⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        242⤵
        Modifies registry class
        
        PID:8544
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        242⤵
        Drops file in System32 directory
        
        PID:8584
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        243⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        243⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        244⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        244⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:8944
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        245⤵
        Drops file in System32 directory
        
        PID:8972
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        246⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:9100
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        247⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        247⤵
        Drops file in System32 directory
        
        PID:9212
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        248⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        248⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        249⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        249⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        250⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        250⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:8764
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        251⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        251⤵
        Drops file in Windows directory
        
        PID:3536
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        252⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        253⤵
        Modifies registry class
        
        PID:9168
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        253⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        254⤵
        Modifies registry class
        
        PID:8380
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        254⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        255⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:8224
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:8808
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        256⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        257⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        257⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        258⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        258⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8236
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        259⤵
        Modifies registry class
        
        PID:8428
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        259⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        260⤵
        Modifies registry class
        
        PID:8828
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        260⤵
        Drops file in Windows directory
        
        PID:8924
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        261⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        261⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:8244
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        262⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        263⤵
        Modifies registry class
        
        PID:9016
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        263⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        264⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        264⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        265⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        265⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        266⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        266⤵
        Drops file in Windows directory
        
        PID:6340
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        267⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:8332
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:9048
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        268⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        269⤵
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        269⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        270⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        270⤵
        Drops file in Windows directory
        
        PID:9276
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        271⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        271⤵
        Drops file in Windows directory
        
        PID:9384
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:9452
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        272⤵
        Drops file in Windows directory
        
        PID:9496
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        273⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        273⤵
        Drops file in Windows directory
        
        PID:9596
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:9688
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        274⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        275⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        275⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        276⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        276⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        277⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:10076
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        278⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        278⤵
        Drops file in Windows directory
        
        PID:10208
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        279⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        279⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        280⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:9436
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        281⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        281⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        282⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        282⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        283⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        283⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:9936
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        284⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        284⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        285⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        285⤵
        Drops file in System32 directory
        
        PID:9244
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        286⤵
        System Location Discovery: System Language Discovery
        
        PID:9400
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        286⤵
        Drops file in Windows directory
        
        PID:9624
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        287⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        287⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        288⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        288⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        289⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        289⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        290⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        290⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        291⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        291⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        292⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        292⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        293⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        293⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        294⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        294⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        295⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        295⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        296⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        296⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        297⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        297⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        298⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        298⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        299⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        299⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        300⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        300⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        301⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        301⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        302⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        302⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        303⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        303⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        304⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        304⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        305⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        305⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        306⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        306⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        307⤵
        
        PID:660
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        307⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        308⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        308⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        309⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        309⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        310⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        310⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        311⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        311⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        312⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        312⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        313⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        313⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        314⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        314⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        315⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        315⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        316⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        316⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        317⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        317⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        318⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        318⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        319⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        319⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        320⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        320⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        321⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        321⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        322⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        322⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        323⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        323⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        324⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        324⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        325⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        325⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        326⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        326⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        327⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        327⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        328⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        328⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        329⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        329⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        330⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        330⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        331⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        331⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        332⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        332⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        333⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        333⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        334⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        334⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        335⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        335⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        336⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        336⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        337⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        337⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        338⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        338⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        339⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        339⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        340⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        340⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        341⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        341⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        342⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        342⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        343⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        343⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        344⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        344⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        345⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        345⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        346⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        346⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        347⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        347⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        348⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        348⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        349⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        349⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        350⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        350⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        351⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        351⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        352⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        352⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        353⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        353⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        354⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        354⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        355⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        355⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        356⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        356⤵
        
        PID:660
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        357⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        357⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        358⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        358⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        359⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        359⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        360⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        360⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        361⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        361⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        362⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        362⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        363⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        363⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        364⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        364⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        365⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        365⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        366⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        366⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        367⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        367⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        368⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        368⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        369⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        369⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        370⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        370⤵
        
        PID:11756
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        371⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        371⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        372⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        372⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        373⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        373⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        374⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 416
        190⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 440
        189⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 416
        185⤵
        
        PID:11956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6236 -s 448
        184⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 376
        181⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 444
        180⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 416
        177⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 444
        176⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 440
        173⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 444
        172⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 448
        171⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 452
        170⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 456
        165⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 444
        164⤵
        Program crash
        
        PID:6316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 384
        163⤵
        Program crash
        
        PID:10252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 448
        162⤵
        Program crash
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 384
        160⤵
        Program crash
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 416
        159⤵
        Program crash
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 448
        158⤵
        Program crash
        
        PID:11208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 176
        157⤵
        Program crash
        
        PID:5912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 444
        156⤵
        Program crash
        
        PID:6104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 412
        155⤵
        Program crash
        
        PID:10840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 412
        154⤵
        Program crash
        
        PID:5364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 184
        152⤵
        Program crash
        
        PID:10592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 452
        151⤵
        Program crash
        
        PID:10528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 452
        150⤵
        Program crash
        
        PID:11072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 408
        149⤵
        Program crash
        
        PID:10896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 408
        148⤵
        Program crash
        
        PID:6104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 444
        147⤵
        Program crash
        
        PID:5644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 416
        146⤵
        Program crash
        
        PID:10924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 452
        145⤵
        Program crash
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 408
        144⤵
        Program crash
        
        PID:10772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 440
        143⤵
        Program crash
        
        PID:10292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 412
        142⤵
        Program crash
        
        PID:10744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 456
        141⤵
        Program crash
        
        PID:6104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 448
        140⤵
        Program crash
        
        PID:11040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 448
        139⤵
        Program crash
        
        PID:5768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 372
        138⤵
        Program crash
        
        PID:10716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 412
        137⤵
        Program crash
        
        PID:10512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 412
        136⤵
        Program crash
        
        PID:5384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 416
        135⤵
        Program crash
        
        PID:3584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 412
        134⤵
        Program crash
        
        PID:5724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 456
        133⤵
        Program crash
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 408
        132⤵
        Program crash
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 176
        131⤵
        Program crash
        
        PID:10308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 412
        130⤵
        Program crash
        
        PID:10552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 448
        128⤵
        Program crash
        
        PID:11136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 456
        126⤵
        Program crash
        
        PID:10744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 380
        125⤵
        Program crash
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 444
        124⤵
        Program crash
        
        PID:10764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 452
        122⤵
        Program crash
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 416
        121⤵
        Program crash
        
        PID:11060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 416
        120⤵
        Program crash
        
        PID:11108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 452
        119⤵
        Program crash
        
        PID:11028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 416
        118⤵
        Program crash
        
        PID:10904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 448
        117⤵
        Program crash
        
        PID:10624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 408
        116⤵
        Program crash
        
        PID:10512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 452
        115⤵
        Program crash
        
        PID:10364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 176
        114⤵
        Program crash
        
        PID:4724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 412
        113⤵
        Program crash
        
        PID:11120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 456
        112⤵
        Program crash
        
        PID:10672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 412
        111⤵
        Program crash
        
        PID:10788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 412
        110⤵
        Program crash
        
        PID:10640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 448
        109⤵
        Program crash
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 180
        108⤵
        Program crash
        
        PID:11256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 448
        107⤵
        Program crash
        
        PID:11232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 448
        106⤵
        Program crash
        
        PID:11012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 448
        105⤵
        Program crash
        
        PID:10936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 408
        104⤵
        Program crash
        
        PID:10812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 176
        103⤵
        Program crash
        
        PID:10672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 412
        102⤵
        Program crash
        
        PID:10544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 452
        101⤵
        Program crash
        
        PID:10308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 444
        100⤵
        Program crash
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 180
        99⤵
        Program crash
        
        PID:3200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 416
        98⤵
        Program crash
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        97⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        96⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        95⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        94⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        93⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        92⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        91⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        90⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        89⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        88⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        87⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        86⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        85⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        84⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        83⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        82⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        81⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        80⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        79⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        78⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        77⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        76⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        75⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        74⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        73⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        72⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        71⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        70⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        69⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        68⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        67⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        66⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        65⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        64⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        63⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        62⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        61⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        60⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        59⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        58⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        57⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        56⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        55⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        54⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        53⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:8372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        51⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        50⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        49⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        48⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        47⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 444
        46⤵
        Program crash
        
        PID:8044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 452
        45⤵
        Program crash
        
        PID:8036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        44⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        43⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        42⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        41⤵
        
        PID:7560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        40⤵
        
        PID:7284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        39⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        38⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        37⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        36⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        35⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        34⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        33⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        32⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        31⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        30⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        29⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        28⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        27⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        26⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        25⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        24⤵
        
        PID:5736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        23⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        22⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        20⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        19⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        18⤵
        
        PID:6748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        17⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        16⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        15⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        14⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        13⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        11⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        10⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        8⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        7⤵
        
        PID:6860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
        5⤵
        
        PID:6596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:6352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$336699.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$336699.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4616 -ip 4616
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 636 -ip 636
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3324 -ip 3324
1⤵
PID:9804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 220 -ip 220
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4264 -ip 4264
1⤵
PID:9804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3556 -ip 3556
1⤵
PID:10280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2544 -ip 2544
1⤵
PID:10424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2704 -ip 2704
1⤵
PID:10552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1088 -ip 1088
1⤵
PID:10776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4908 -ip 4908
1⤵
PID:10840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5136 -ip 5136
1⤵
PID:10952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5216 -ip 5216
1⤵
PID:11108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5292 -ip 5292
1⤵
PID:11212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5368 -ip 5368
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5452 -ip 5452
1⤵
PID:10312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5528 -ip 5528
1⤵
PID:10760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5604 -ip 5604
1⤵
PID:10908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5684 -ip 5684
1⤵
PID:10820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5756 -ip 5756
1⤵
PID:11180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5836 -ip 5836
1⤵
PID:11016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5920 -ip 5920
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6012 -ip 6012
1⤵
PID:10504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6092 -ip 6092
1⤵
PID:10564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5124 -ip 5124
1⤵
PID:10900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5236 -ip 5236
1⤵
PID:10640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5332 -ip 5332
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5440 -ip 5440
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5552 -ip 5552
1⤵
PID:10416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5660 -ip 5660
1⤵
PID:10528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5748 -ip 5748
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5860 -ip 5860
1⤵
PID:10760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5968 -ip 5968
1⤵
PID:10900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6076 -ip 6076
1⤵
PID:11164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5160 -ip 5160
1⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5280 -ip 5280
1⤵
PID:10416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5324 -ip 5324
1⤵
PID:10464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5536 -ip 5536
1⤵
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5708 -ip 5708
1⤵
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5812 -ip 5812
1⤵
PID:10800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5832 -ip 5832
1⤵
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6056 -ip 6056
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5180 -ip 5180
1⤵
PID:10372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5320 -ip 5320
1⤵
PID:10996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5480 -ip 5480
1⤵
PID:10312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5636 -ip 5636
1⤵
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5788 -ip 5788
1⤵
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5952 -ip 5952
1⤵
PID:10308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6128 -ip 6128
1⤵
PID:10924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5196 -ip 5196
1⤵
PID:10888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5484 -ip 5484
1⤵
PID:11156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5584 -ip 5584
1⤵
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5824 -ip 5824
1⤵
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6052 -ip 6052
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5200 -ip 5200
1⤵
PID:10744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5404 -ip 5404
1⤵
PID:11168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1756 -ip 1756
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5732 -ip 5732
1⤵
PID:11044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5156 -ip 5156
1⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5396 -ip 5396
1⤵
PID:10632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5804 -ip 5804
1⤵
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6060 -ip 6060
1⤵
PID:11260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1472 -ip 1472
1⤵
PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5928 -ip 5928
1⤵
PID:11032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6136 -ip 6136
1⤵
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5568 -ip 5568
1⤵
PID:10312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5548 -ip 5548
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5276 -ip 5276
1⤵
PID:10880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5908 -ip 5908
1⤵
PID:10556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5412 -ip 5412
1⤵
PID:11032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5820 -ip 5820
1⤵
PID:10664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5208 -ip 5208
1⤵
PID:10512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5892 -ip 5892
1⤵
PID:6584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6196 -ip 6196
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6296 -ip 6296
1⤵
PID:5384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6456 -ip 6456
1⤵
PID:5900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6552 -ip 6552
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6636 -ip 6636
1⤵
PID:11032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6720 -ip 6720
1⤵
PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6804 -ip 6804
1⤵
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6892 -ip 6892
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7008 -ip 7008
1⤵
PID:11300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7136 -ip 7136
1⤵
PID:11320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6168 -ip 6168
1⤵
PID:11412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6448 -ip 6448
1⤵
PID:11528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6628 -ip 6628
1⤵
PID:11564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6776 -ip 6776
1⤵
PID:11656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6944 -ip 6944
1⤵
PID:11720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7124 -ip 7124
1⤵
PID:11792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6236 -ip 6236
1⤵
PID:11844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6536 -ip 6536
1⤵
PID:11880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6704 -ip 6704
1⤵
PID:11972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6924 -ip 6924
1⤵
PID:12072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2780 -ip 2780
1⤵
PID:12088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6384 -ip 6384
1⤵
PID:12156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4236 -ip 4236
1⤵
PID:12212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6852 -ip 6852
1⤵
PID:12260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 7052 -ip 7052
1⤵
PID:6820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7064 -ip 7064
1⤵
PID:11336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6568 -ip 6568
1⤵
PID:7100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\$$336699.bat

Filesize
141B

MD5
e3efc16ca26ae31f9885ee9549ff1f82

SHA1
4321f47a61712ffbbad7a39691359474db4b947c

SHA256
a03f261cc17b929ef96c2faeef03b77af3b62ab84bbb73a79beb84878b1bfa61

SHA512
f376e9be088782e394d21958bcdb5e7f00605b05290eff1320d64d5a76bfa619c260c8b5d971e7015bb118f0dd13ad73033f76e55b717611bc1a7d876f8e62ab

Download Submit
C:\Windows\SysWOW64\EXPL0RER.EXE

Filesize
68KB

MD5
82d2f1ccf7ac7c751bfec8b771f7db0d

SHA1
91911867fddc68a7abd5cd4ead7c21be74df0e1a

SHA256
496aa3e4a9d5e40c665fab0c26fcced1907d08ac0be99dcf7f86af11bd23a281

SHA512
44b048e5cfafe6966ac0ce5b168242ac2a0fd22687ca38494908ab1793a89ee2fccfb18fc1f878a604628b5cb527b6dccbf9643265dee23cc01fa72e07e865af

Download Submit
C:\Windows\SysWOW64\SysModule32.DLL

Filesize
49KB

MD5
edfd984bc81d1d61f8f15f86c836d937

SHA1
f8aa14f7ff4cc510e8e115e65d642e66cff024fc

SHA256
401201e517cf75a0a07e42982899c21935d3235dcfe2ddc437b1120173347fa2

SHA512
9aea310759b03450ef8ac4fe1c208b0a1de523cb4fbca5fceef1927d9643dbb4f3efe463c256181d3303fb3b0950b893093842ae60e1fafedbe008d894bf5232

Download Submit
C:\Windows\SysWOW64\SysModule64.DLL

Filesize
65KB

MD5
1cd2c8cd19fcb44ba7c880866e409f3f

SHA1
0d934e8a01c6e105e9a3ca9bbe43827a5ef7adcc

SHA256
c8697771d43714bb3c9ae68708f1924633a84f00feaa91e500135f0db3b41967

SHA512
543052a36d8db1ef12116bf0fe0e345b3146a29a1598b475563b3c55e237373c595199690171adfd2599626581b73f7a4ac40bdc0e64f52c96d61351bbac3792

Download Submit
memory/208-770-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-656-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-995-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-833-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-713-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-679-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-645-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-1032-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-667-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/1232-101-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/1240-454-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/1240-49-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/1372-1080-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-244-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/1412-896-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/1476-898-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-1056-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-1020-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-67-0x0000000000770000-0x0000000000786000-memory.dmp

Filesize
88KB

Download
memory/1560-1092-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-701-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-859-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-984-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-746-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-340-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/1932-808-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-1104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-724-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-690-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-232-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/2436-466-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/2460-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-712-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-1186-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/2592-844-0x00000000007F0000-0x0000000000806000-memory.dmp

Filesize
88KB

Download
memory/2612-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-821-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-796-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-600-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-735-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-1044-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-644-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/3128-885-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-846-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-759-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-1067-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-784-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-947-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-910-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-533-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/3832-420-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/3832-1138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-870-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/3880-1008-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-959-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-256-0x0000000000900000-0x0000000000916000-memory.dmp

Filesize
88KB

Download
memory/3968-922-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-281-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download
memory/4052-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-364-0x0000000000690000-0x00000000006A6000-memory.dmp

Filesize
88KB

Download
memory/4144-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-1173-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/4216-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-1078-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/4316-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-972-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-935-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-1116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-668-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-872-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-1254-0x0000000000670000-0x0000000000686000-memory.dmp

Filesize
88KB

Download
memory/4688-1231-0x0000000000730000-0x0000000000746000-memory.dmp

Filesize
88KB

Download
memory/4832-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-133-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/5036-1127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download